[Snort-users] Snort, Stream4 State and Ethernet Taps.

counter.spy at ...348... counter.spy at ...348...
Wed May 1 09:58:09 EDT 2002


Vjay,

>I understand the whole concept of the splitting one stream in to two
streams
>and how to put
>them back together. What I really am interested in understanding is if you
>don't, can't
>or won't put the two streams back together, how will it affect Stream 4
>statefull inspection.
>

This was also answered previously, by Chris Green.
  <previous post>
  counter.spy asked:
  Wouldn't I lose the stateful inspection capability of snort when
  using the third method? (that was running two instances, one for each
interface)
  
  Chris Green answered:
  Yes.
  
  I further asked:
  Each snort process only sees one direction of each connection, so
  it cannot know if a connection has been properly established or not.
  It seems to me that this is a problem that most NIDS should
  encounter when running on tap ports, right?

  Chris answered:
  Yup.
  </previous post>

>I am not interested in the "how to put things back together conversation",
>just what will happen
>to stream4 if they are permanently split. Thanks!

Well, if you are running the -z est option you will lose sight for stateful
TCP attacks
(anyone correct me, if I am wrong).

Otherwise, I think you would still get all attacks, and the split up
datastreams should
not affect the reassembly, because this can still be done for each
direction.
I suggest you running tests on this and let us know the results.

Problems you will probably get if using the detect_state_problems feature of
the
stream4 preprocessor.

>vjl

HTH
Any more questions? ;)

Greetings,
Detmar


-- 
GMX - Die Kommunikationsplattform im Internet.
http://www.gmx.net





More information about the Snort-users mailing list