[Snort-users] one tap two interface no tcp session data logged

This is a multi-part message in MIME format.

------_=_NextPart_001_01C48EDF.EBB34B04
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

Question: A tap was bought and connected to box with three(3)nics[one =
for mgmt and two for snorting]
and a snort process is running on each nic.
No tcp session data was logged i.e. no IIS code red attempts.=20
Tried giving each NIC its own sensor name and that did not work.
Finally, created Bridge with the two(2) NICs. Now one sees everything.
I Ass-U-Me that one snort process saw incoming traffic and the
the other process saw outgoing traffic so there never was an=20
established connection for the IIS rules to fire on? If one does not=20
want to bridge the traffic what kind of rule should=20
I write to catch an incoming stream with IP proto=3Dtcp
and root.exe. Of course I think that the=20
http preprocessor normalizes the data i.e.
r^H^H^H^H^H^H^Ho^H^Ho^Ht.exe to root.exe so I would want to=20
bridge the traffic to make sure I get all of the alerts? Is that =
correct?

Thank you,
Raymond

------_=_NextPart_001_01C48EDF.EBB34B04
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Diso-8859-1">
<META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version =
6.0.6487.1">
<TITLE>one tap two interface no tcp session data logged</TITLE>
</HEAD>
<BODY>
<!-- Converted from text/rtf format -->

<P><FONT SIZE=3D2 FACE=3D"Arial">Question: A tap was bought and =
connected to box with three(3)nics[one for mgmt and two for =
snorting]</FONT>

<BR><FONT SIZE=3D2 FACE=3D"Arial">and a snort process is running on each =
nic.</FONT>

<BR><FONT SIZE=3D2 FACE=3D"Arial">No tcp session data was logged i.e. no =
IIS code red attempts. </FONT>

<BR><FONT SIZE=3D2 FACE=3D"Arial">Tried giving each NIC its own sensor =
name and that did not work.</FONT>

<BR><FONT SIZE=3D2 FACE=3D"Arial">Finally, created Bridge with the =
two(2) NICs. Now one sees everything.</FONT>

<BR><FONT SIZE=3D2 FACE=3D"Arial">I Ass-U-Me that one snort process saw =
incoming traffic and the</FONT>

<BR><FONT SIZE=3D2 FACE=3D"Arial">the other process saw outgoing traffic =
so there never was an </FONT>

<BR><FONT SIZE=3D2 FACE=3D"Arial">established connection for the IIS =
rules to fire on?&nbsp; If one does not </FONT>

<BR><FONT SIZE=3D2 FACE=3D"Arial">want to bridge the traffic what kind =
of rule should </FONT>

<BR><FONT SIZE=3D2 FACE=3D"Arial">I write to catch an incoming stream =
with IP proto=3Dtcp</FONT>

<BR><FONT SIZE=3D2 FACE=3D"Arial">and root.exe. Of course&nbsp; I think =
that the </FONT>

<BR><FONT SIZE=3D2 FACE=3D"Arial">http preprocessor normalizes the data =
i.e.</FONT>

<BR><FONT SIZE=3D2 FACE=3D"Arial">r^H^H^H^H^H^H^Ho^H^Ho^Ht.exe to =
root.exe so I would want to </FONT>

<BR><FONT SIZE=3D2 FACE=3D"Arial">bridge the traffic to make sure I get =
all of the alerts? Is that correct?</FONT>
</P>

<P><FONT SIZE=3D2 FACE=3D"Arial">Thank you,</FONT>

<BR><FONT SIZE=3D2 FACE=3D"Arial">Raymond</FONT>
</P>

</BODY>
</HTML>
------_=_NextPart_001_01C48EDF.EBB34B04--


-------------------------------------------------------
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=5047&alloc_id=10808&op=click
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/...fo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.p...st=snort-users