[Snort-users] Snort and network taps

Mike Pedro m.pedro at ...5068...
Mon Dec 7 08:41:00 EST 2015

Hello Everyone,


In my hurry to send my original email, I didn’t identify myself, my apologies.


If anyone can provide any information on the need for the “net.ipv4.conf.all.rp_filter = 0” setting when using networks taps, it would be much appreciated.



Mike P.




From: m.pedro at ...5068... <mailto:m.pedro at ...5068...>  [mailto:m.pedro at ...15689...68...] 
Sent: Wednesday, December 02, 2015 9:01 AM
To: snort-users at lists.sourceforge.net <mailto:snort-users at ...5870....net> 
Subject: [Snort-users] Snort and network taps


Could anyone confirm if the NIC setting “net.ipv4.conf.all.rp_filter = 0” is required for a snort install inspecting traffic fed from a network tap?


The setting makes sense for network tap fed devices as it’s a one-way traffic flow and they cannot verify the sources from that NIC. The question is being brought up as “net.ipv4.conf.all.rp_filter = 1” is the more secure configuration option and these devices are not the same as the others.


Thanks in advance.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20151207/700af519/attachment.html>

More information about the Snort-users mailing list