Menu
▾
▴
[Snort-inline-users] Preprocessors and states
|
From: Pieter V. <pv...@ab...> - 2005-08-02 15:36:31
|
Hi, Thanks for all helpful info. I've got snort up and running in inline mode, tested it with sneeze and all seems to work. But I still got a question : currently only packets with state new (only for INPUT and FORWARD not for OUTPUT) which are accepted by iptables are send to snort_inline in my setup But what about detection and state? As I understood it the preprocessors allow tracking state for IP, TCP,.. by keeping a cache for a certain period. And also I suppose some rules match with specific strings not necesseraly in the first packet of a connection? I suppose the defragmentation checks are unneccesary as iptables will execute defragmentation before it is checked by its own rules. Or is this not true? So basicly my question is are the preprocessors still working when only new packets are checked and is it a good idea to only check new packets? kind regards, Pieter Able -- Pieter Vanmeerbeek R&D Engineer --------------------------------------------------- Able N.V. Tel: +32(0)15 50.44.00 Dellingstraat 28b Fax: +32(0)15.50.44.09 B-2800 Mechelen http://www.axsguard.com http://www.doITsafe.net aXs GUARD - internet communication appliance --------------------------------------------------- -- NEW: aXs GUARD hands-on Trainings v.7.0 more info at http://www.axsguard.com/indextraining.htm aXs GUARD has completed security and anti-virus checks on this e-mail (http://www.axsguard.com) --------------------------------------------------- Able NV: ond.nr 0457.938.087 |
