[Snort-users] Snort and network taps

Mike Pedro m.pedro at ...5068...
Mon Dec 7 08:41:00 EST 2015


Hello Everyone,

 

In my hurry to send my original email, I didn’t identify myself, my apologies.

 

If anyone can provide any information on the need for the “net.ipv4.conf.all.rp_filter = 0” setting when using networks taps, it would be much appreciated.

 

Thanks,

Mike P.

 

 

 

From: m.pedro at ...5068... <mailto:m.pedro at ...5068...>  [mailto:m.pedro at ...15689...68...] 
Sent: Wednesday, December 02, 2015 9:01 AM
To: snort-users at lists.sourceforge.net <mailto:snort-users at ...5870....net> 
Subject: [Snort-users] Snort and network taps

 

Could anyone confirm if the NIC setting “net.ipv4.conf.all.rp_filter = 0” is required for a snort install inspecting traffic fed from a network tap?

 

The setting makes sense for network tap fed devices as it’s a one-way traffic flow and they cannot verify the sources from that NIC. The question is being brought up as “net.ipv4.conf.all.rp_filter = 1” is the more secure configuration option and these devices are not the same as the others.

 

Thanks in advance.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20151207/700af519/attachment.html>


More information about the Snort-users mailing list