[Snort-users] recommendation for monitoring traffic
mkettler at ...4108...
Thu Oct 27 12:40:47 EDT 2005
John Friedman wrote:
> Hi all,
> Curently, I span the firewall port on teh core switch to the snort
> monitoring port only for Rx traffic. The snort is placed inside
> firewall.I manage it through the second NIC on the Snort box.
> Should I
> monitor both TX/Rx traffic?
Yes. If you only monitor "half the stream" most snort rules, anything using the
"established" keyword, will never match.
This is because stream4 won't see the full tcp 3-way handshake and will assume
the packets it sees are just garbage and not a part of a real connection.
> If I want to exclude one server from the monitoring segment, what's the
Adding a BPF such as "host not 192.168.1.1" to your snort command line should
> Thanks in advance,
> BTW, I tried to exclude on server from this motoring segment
More information about the Snort-users