[Snort-users] Snort and network taps

m.pedro at ...5068... m.pedro at ...5068...
Wed Dec 2 09:01:20 EST 2015



Could anyone confirm if the NIC setting “net.ipv4.conf.all.rp_filter = 0” is required for a snort install inspecting traffic fed from a network tap? 




The setting makes sense for network tap fed devices as it’s a one-way traffic flow and they cannot verify the sources from that NIC. The question is being brought up as “net.ipv4.conf.all.rp_filter = 1” is the more secure configuration option and these devices are not the same as the others. 




Thanks in advance. 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20151202/b0b7a679/attachment.html>


More information about the Snort-users mailing list