martin f krafft wrote: > > * Rens Houben <[EMAIL PROTECTED]> [2001.12.03 13:02:50+0100]: > > Anyways, I've been following this thread and wondering: Is there any > > reason why snort would or would not work with a bridge? > > snort is a tool that primarily assesses ip, tcp, and application level > protocols. if you run it on a bridge, it will have a hard time seeing > any data because the bridge will "relay" before ip is touched. snort > should still be able to get the data because while the bridging code > may or may not rewrite the frame and send it out on another interface, > it does not prevent the encapsulated data to be branched off for > snort's use. but i am not sure actually.
They who post before searching deserve what they get. Hogwash (see http://hogwash.sourceforge.net/ ) is exactly the marriage of snort and a bridge. It works quite well, and doesn't have any sort of "hard time" seeing data. wes
