[Snort-users] Passive Tap Help
frank at ...9761...
Mon Dec 1 20:18:09 EST 2003
On Mon, 2003-12-01 at 15:01, Dirk Geschke wrote:
> There is one important thing you should not oversee. With two separate
> instances of snort and therefore two instances of pcap you won't be
> able to use the stream4 preprocessor and especially the "established"
That's correct. Snort does not reassemble packets/streams received from
different sources. Other IDS "claim" they can. Thus this solution is not
recommended for Snort. I just listed that as an option since their are
IDS' that claim they can take in separate directions of traffic and
merge it in the IDS. I used this example to show the different between
combining the streams on a network/OS level and application/IDS level.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 187 bytes
Desc: This is a digitally signed message part
More information about the Snort-users