Menu
▾
▴
Re: [Snort-inline-users] Preprocessors and states
|
From: Victor J. <vi...@nk...> - 2005-08-02 16:12:07
|
> So basicly my question is are the preprocessors still working when only > new packets are checked and is it a good idea to only check new packets? No, because one of the things snort and snort_inline do is check the payload of your connections against the signatures of known attacks. The syn-packet in a tcp connection will have no data, or just a very limited ammount when compared to the entire connection. So i would very highly recommend you to send all packets of a connection to snort_inline. Regards, Victor |
