[Snort-users] Snort, Stream4 State and Ethernet Taps.

Wirth, Jeff WirthJe at ...4876...
Wed May 1 07:35:57 EDT 2002


From: larosa, vjay [mailto:larosa_vjay at ...3331...]

> I was just thinking about something, If I have an ethernet 
> full duplex 100
> Mb link, and I insert an ethernet tap that splits
> the full duplex link in to two half duplex streams, then run 
> two seperate
> instances of snort to monitor each half duplex link.
> How will this affect the Stream 4 preprocessor with regards 
> to TCP state? If
> the initial syn goes out past one snort
> process, the syn-ack comes back in past the second snort 
> process and the
> final ack in the TCP three way handshake
> goes out past snort process 1 again. Will snort ignore this 
> conversation now
> and not pass on the packets for rules parsing becuase the 
> handshake was not
> seen entirely by one snort process? Or will Stream 4 assume 
> bi-directional
> flow is in play
> on each process because process 1 saw the syn as well as the ack, and
> process 2 saw a syn-ack?

Take a look at the mail archive.  There was a tread on this topic last
week...

http://sourceforge.net/search/?type=mlists&exact=1&q=taps&offset=25&group_id
=3357&forum_id=3972


- Jeff




More information about the Snort-users mailing list