[Snort-users] Snort, Stream4 State and Ethernet Taps.
WirthJe at ...4876...
Wed May 1 07:35:57 EDT 2002
From: larosa, vjay [mailto:larosa_vjay at ...3331...]
> I was just thinking about something, If I have an ethernet
> full duplex 100
> Mb link, and I insert an ethernet tap that splits
> the full duplex link in to two half duplex streams, then run
> two seperate
> instances of snort to monitor each half duplex link.
> How will this affect the Stream 4 preprocessor with regards
> to TCP state? If
> the initial syn goes out past one snort
> process, the syn-ack comes back in past the second snort
> process and the
> final ack in the TCP three way handshake
> goes out past snort process 1 again. Will snort ignore this
> conversation now
> and not pass on the packets for rules parsing becuase the
> handshake was not
> seen entirely by one snort process? Or will Stream 4 assume
> flow is in play
> on each process because process 1 saw the syn as well as the ack, and
> process 2 saw a syn-ack?
Take a look at the mail archive. There was a tread on this topic last
More information about the Snort-users