[Snort-users] recommendation for monitoring traffic

Matt Kettler mkettler at ...4108...
Thu Oct 27 12:40:47 EDT 2005

John Friedman wrote:
> Hi all,
> Curently, I span the firewall  port  on teh core switch to the snort
> monitoring port only  for Rx traffic.  The snort is placed inside
> firewall.I manage it through the second NIC on the Snort box.   

> Should I
> monitor both TX/Rx traffic? 

Yes. If you only monitor "half the stream" most snort rules, anything using the
"established" keyword, will never match.

This is because stream4 won't see the full tcp 3-way handshake and will assume
the packets it sees are just garbage and not a part of a real connection.

> If I want to exclude one server from the monitoring segment, what's the
> syntax?

Adding a BPF such as "host not" to your snort command line should
work nicely.

> Thanks in advance,
> John
> BTW, I tried to exclude on server from this motoring segment


More information about the Snort-users mailing list