No subject


Thu Nov 23 16:36:19 EST 2017


to see RX and TX traffic causes a drawback of being unable to perform
stateful analysis, but then it says a workaround is to monitor RX traffic
only on a gigabit switch. This seems contradictory to me, so I am simply
seeking clarification.

 

If this question seems elementary, I apologize. I am new to utilizing snort,
but I do research, and from plenty of time at google and reading what I
found, I could not find a clear answer. Any help would be much appreciated!

 

Cheers,

 

Ramon Fernandez


------=_NextPart_000_0099_01C614C3.528A6E60
Content-Type: text/html; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

<html xmlns:o=3D"urn:schemas-microsoft-com:office:office" xmlns:w=3D"urn:sc=
hemas-microsoft-com:office:word" xmlns=3D"http://www.w3.org/TR/REC-html40">

<head>
<meta http-equiv=3DContent-Type content=3D"text/html; charset=3Dus-ascii">
<meta name=3DGenerator content=3D"Microsoft Word 11 (filtered medium)">
<style>
<!--
 /* Font Definitions */
 @font-face
	{font-family:"Arial Black";
	panose-1:2 11 10 4 2 1 2 2 2 4;}
 /* Style Definitions */
 p.MsoNormal, li.MsoNormal, div.MsoNormal
	{margin:0in;
	margin-bottom:.0001pt;
	font-size:12.0pt;
	font-family:"Times New Roman";}
a:link, span.MsoHyperlink
	{color:blue;
	text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
	{color:purple;
	text-decoration:underline;}
p.TaskHeading, li.TaskHeading, div.TaskHeading
	{margin-top:0in;
	margin-right:106.9pt;
	margin-bottom:0in;
	margin-left:0in;
	margin-bottom:.0001pt;
	font-size:14.0pt;
	font-family:"Arial Black";}
p.ChapterTitle, li.ChapterTitle, div.ChapterTitle
	{margin-top:0in;
	margin-right:106.9pt;
	margin-bottom:0in;
	margin-left:0in;
	margin-bottom:.0001pt;
	font-size:18.0pt;
	font-family:"Arial Black";}
p.PictureText, li.PictureText, div.PictureText
	{margin-top:0in;
	margin-right:106.9pt;
	margin-bottom:0in;
	margin-left:0in;
	margin-bottom:.0001pt;
	font-size:10.0pt;
	font-family:Arial;
	font-weight:bold;}
span.EmailStyle20
	{mso-style-type:personal-compose;
	font-family:Arial;
	color:windowtext;}
@page Section1
	{size:8.5in 11.0in;
	margin:1.0in 1.25in 1.0in 1.25in;}
div.Section1
	{page:Section1;}
-->
</style>

</head>

<body lang=3DEN-US link=3Dblue vlink=3Dpurple>

<div class=3DSection1>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span style=3D'font-size:1=
0.0pt;
font-family:Arial'>Hello,<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span style=3D'font-size:1=
0.0pt;
font-family:Arial'><o:p> </o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span style=3D'font-size:1=
0.0pt;
font-family:Arial'>I had a question about the use of flow:established in the
context of snort rules.<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span style=3D'font-size:1=
0.0pt;
font-family:Arial'><o:p> </o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span style=3D'font-size:1=
0.0pt;
font-family:Arial'>How does snort interpret an established session? Does it
utilize traffic in both directions or can still understand an established
connection from unidirectional traffic? <o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span style=3D'font-size:1=
0.0pt;
font-family:Arial'><o:p> </o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span style=3D'font-size:1=
0.0pt;
font-family:Arial'>A hypothetical situation would be a http connection nego=
tiation
where the part or all of the server response is dropped by snort. Would sno=
rt
still be able to understand that the session was established based off
unidirectional communications or would snort assume the session was not
established and pass the packet with malicious content.<o:p></o:p></span></=
font></p>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span style=3D'font-size:1=
0.0pt;
font-family:Arial'><o:p> </o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span style=3D'font-size:1=
0.0pt;
font-family:Arial'>If it did pass on the packet, would snort also pass if t=
he
flow:to_server option was instead substituted?<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span style=3D'font-size:1=
0.0pt;
font-family:Arial'><o:p> </o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span style=3D'font-size:1=
0.0pt;
font-family:Arial'>From what I have read in the FAQ about switched
environments, not being able to see RX and TX traffic causes a drawback of =
being
unable to perform stateful analysis, but then it says a workaround is to
monitor RX traffic only on a gigabit switch. This seems contradictory to me=
, so
I am simply seeking clarification.<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span style=3D'font-size:1=
0.0pt;
font-family:Arial'><o:p> </o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span style=3D'font-size:1=
0.0pt;
font-family:Arial'>If this question seems elementary, I apologize. I am new=
 to
utilizing snort, but I do research, and from plenty of time at google and
reading what I found, I could not find a clear answer. Any help would be mu=
ch
appreciated!<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span style=3D'font-size:1=
0.0pt;
font-family:Arial'><o:p> </o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span style=3D'font-size:1=
0.0pt;
font-family:Arial'>Cheers,<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span style=3D'font-size:1=
0.0pt;
font-family:Arial'><o:p> </o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span style=3D'font-size:1=
0.0pt;
font-family:Arial'>Ramon Fernandez<o:p></o:p></span></font></p>

</div>

</body>

</html>

------=_NextPart_000_0099_01C614C3.528A6E60--






More information about the Snort-users mailing list