[Snort-users] Passive Tap Help

Frank Knobbe frank at ...9761...
Mon Dec 1 20:18:09 EST 2003


On Mon, 2003-12-01 at 15:01, Dirk Geschke wrote:
> There is one important thing you should not oversee. With two separate
> instances of snort and therefore two instances of pcap you won't be
> able to use the stream4 preprocessor and especially the "established"
> feature. 

That's correct. Snort does not reassemble packets/streams received from
different sources. Other IDS "claim" they can. Thus this solution is not
recommended for Snort. I just listed that as an option since their are
IDS' that claim they can take in separate directions of traffic and
merge it in the IDS. I used this example to show the different between
combining the streams on a network/OS level and application/IDS level.

Cheers,
Frank




-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 187 bytes
Desc: This is a digitally signed message part
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20031201/9c01bd9a/attachment.sig>


More information about the Snort-users mailing list