Menu
▾
▴
Re: [Snort-inline-users] stateless vs. stateful
|
From: Victor J. <vi...@nk...> - 2004-11-22 10:08:29
|
On Monday 22 November 2004 11:04, Maziar Moezzi wrote: > Hi Guys, > > > Being a newbie to Snort and Snort-inline and trying to implement a > similar LINUX box.... I have a quick Question: > > * How would I enable Stream4 in the pre-proccesor.....to make it ? > greatly appreciated... Enable it in your snort_inline.conf by uncommenting the line preprocessor stream4 and optionally preprocessor stream4_reassemble > > Since as I read from previous email..... > When stream4 is enabled, packets that do not belong to an existing > connection and do not initialise a connection are simplyd. So without > stream4 enabled, there is no way for Snort-inline to identify this > issue.... Not as far as i know... Regards, Victor > > Thanks, > > Maz > > > > =============================================================== > Hi Jochen, > > On Monday 22 November 2004 09:13, Jochen Vogel wrote: > > hi, > > > > -works snort_inline stateful or stateless? > > It depends: if you enable the stream4 preprocessor it is stateful. > > > -what are doing the stateful and stateless doing exactly in an IPS? > > When stream4 is enabled, packets that do not belong to an existing > connection > and do not initialise a connection are dropped. Without stream4, there > is no > way for Snort-inline to know this. > > > -what are the differences? > > If you enable stream4_reassembly as well multiple packets in a stream > are > scanned for threads, thereby preventing missing an attack that is split > up > over two packets. > > > -how is the behaviour in an high availabilty environment? > > As far as i know bad. There is no mechanism that allows two > snort_inline boxes > to exchange their state-table. > > Thinking out loud: however, using iptables failover (ct_sync if i'm > correct) > and iptstate option for stream4 it _could_ work... maybe... no > reassembly i > think... ideas anyone? > > Regards, > Victor > > > thx for infos > > jo |
