Re: snorting bridges? [ Was: Re: iptables with a linux bridge ]
martin f krafft wrote:
>
> * Rens Houben <shadur@systemec.nl> [2001.12.03 13:02:50+0100]:
> > Anyways, I've been following this thread and wondering: Is there any
> > reason why snort would or would not work with a bridge?
>
> snort is a tool that primarily assesses ip, tcp, and application level
> protocols. if you run it on a bridge, it will have a hard time seeing
> any data because the bridge will "relay" before ip is touched. snort
> should still be able to get the data because while the bridging code
> may or may not rewrite the frame and send it out on another interface,
> it does not prevent the encapsulated data to be branched off for
> snort's use. but i am not sure actually.
They who post before searching deserve what they get. Hogwash (see
http://hogwash.sourceforge.net/ ) is exactly the marriage of snort and a
bridge. It works quite well, and doesn't have any sort of "hard time"
seeing data.
wes
Reply to: