[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: snorting bridges? [ Was: Re: iptables with a linux bridge ]



* Rens Houben <shadur@systemec.nl> [2001.12.03 13:02:50+0100]:
> Anyways, I've been following this thread and wondering: Is there any
> reason why snort would or would not work with a bridge?

snort is a tool that primarily assesses ip, tcp, and application level
protocols. if you run it on a bridge, it will have a hard time seeing
any data because the bridge will "relay" before ip is touched. snort
should still be able to get the data because while the bridging code
may or may not rewrite the frame and send it out on another interface,
it does not prevent the encapsulated data to be branched off for
snort's use. but i am not sure actually.

if you do use snort on another machine you should consider that the
traffic on either side of the bridge is not always the same...

-- 
martin;              (greetings from the heart of the sun.)
  \____ echo mailto: !#^."<*>"|tr "<*> mailto:"; net@madduck
  
as i was going up the stair
i met a man who wasn't there.
he wasn't there again today.
i wish, i wish he'd stay away.
                                                       --hughes mearns

Attachment: pgpXhtL4lJulp.pgp
Description: PGP signature


Reply to: