Menu
▾
▴
Re: [Snort-inline-users] stateless vs. stateful
|
From: Victor J. <vi...@nk...> - 2004-11-22 08:49:53
|
Hi Jochen, On Monday 22 November 2004 09:13, Jochen Vogel wrote: > hi, > > -works snort_inline stateful or stateless? It depends: if you enable the stream4 preprocessor it is stateful. > -what are doing the stateful and stateless doing exactly in an IPS? When stream4 is enabled, packets that do not belong to an existing connection and do not initialise a connection are dropped. Without stream4, there is no way for Snort-inline to know this. > -what are the differences? If you enable stream4_reassembly as well multiple packets in a stream are scanned for threads, thereby preventing missing an attack that is split up over two packets. > -how is the behaviour in an high availabilty environment? As far as i know bad. There is no mechanism that allows two snort_inline boxes to exchange their state-table. Thinking out loud: however, using iptables failover (ct_sync if i'm correct) and iptstate option for stream4 it _could_ work... maybe... no reassembly i think... ideas anyone? Regards, Victor > > thx for infos > jo > > > ------------------------------------------------------- > SF email is sponsored by - The IT Product Guide > Read honest & candid reviews on hundreds of IT Products from real users. > Discover which products truly live up to the hype. Start reading now. > http://productguide.itmanagersjournal.com/ > _______________________________________________ > Snort-inline-users mailing list > Sno...@li... > https://lists.sourceforge.net/lists/listinfo/snort-inline-users |
