[Snort-users] snort inline (non-drop mode) br0

Joel Esler jesler at ...1935...
Tue Feb 1 13:45:42 EST 2011


I keep seeing you post to the list asking about open sessions.  But I never
see any responses to anyone's questions that we ask.

Are you having a problem with open sessions, or are you perceiving it to be
a problem?  What's the problem?  Are you dropping packets?  Are you seeing
duplicate traffic?

Is Snort not detecting things?  What's the issue?


On Tue, Feb 1, 2011 at 12:59 PM, Lawrence R. Hughes, Sr. <
lhughes at ...14822...> wrote:

>  Hi,
> We use snort inline in the non-drop mode and our sensor is listens on br0.
> Could it be that we detect the 3whs (session) with stream5, but don't
> detect when the session has ended, thus giving us a high rate of open
> sessions?
> If this is the case, then what interface would be better to use eth0 or
> eth1 (currently both eth0 & eth1 are configed to give us br0) ?
> Thanks,
> Larry
> ------------------------------------------------------------------------------
> Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)!
> Finally, a world-class log management solution at an even better
> price-free!
> Download using promo code Free_Logger_4_Dev2Dev. Offer expires
> February 28th, so secure your free ArcSight Logger TODAY!
> http://p.sf.net/sfu/arcsight-sfd2d
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

Joel Esler
http://blog.snort.org && http://blog.clamav.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20110201/1ed279f3/attachment.html>

More information about the Snort-users mailing list