[Snort-users] snort behind TAP & asynchronous_link

Holger.Woehle at ...2701... Holger.Woehle at ...2701...
Thu Aug 15 02:04:02 EDT 2002


Hello,
i always still hang on the problem running snort behind a shomiti ethernet TAP.
That is my network:



             +---+     +---+           +---+
             | S |     | R |           | S |
   +-----+   | W |     | O |           | W |   +-------+
   |     |   | I |     | U |   +---+   | I |   |       |
   |  A  |===| T |=====| T |===|TAP|===| T |===| httpd |
   |     |   | C |     | E |   +---+   | C |   |       |
   +-----+   | H |     | R |     |     | H |   +-------+
             | 1 |     |   |     |     | 2 |
             +---+     +---+     |     +---+
                                 |
                              +-------+
                              | SNORT |
                              +-------+

The TAP sits between the Router and Switch2.
Lower surface of the TAP:

                      +--------------------+
                      |    Century TAP     |
   >from Router=======A                    B===============> to SWITCH 2
                      |                    |
     <to SNORT========Tap A            Tap B
                      |                    |
                      +--------------------Power-----

I am using Snort 1.9.0beta4 and the default snort.conf with one change:
preprozessor stream4: detect_scans, disable_evasion_alerts, asynchronous_link

if a append keepstates i understand that snort logs some infos about states into
/var/log/snort,
but there does not appear something like state.log ?

Snort does not recognize the alerts with the flow:to_server,established
attributes.
I seems to me, that snort does not reassemble the stream.
If i delete the established attribute snort recognises the alert.
But then i run into my other problem (please see thread: snort seas no
fragmented error).

with regards
Holger














More information about the Snort-users mailing list