Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Re: [Snort-users] IDS vs IPS

From: Yves Boisjoly <Yves.Boisjoly () sympatico ca>
Date: Fri, 22 Aug 2003 08:47:49 -0400 (EDT)

I didn't read all the history of this thread but, seeing that it's seams to be
about Snort vs Dynamic Firewall, I invites you to take a look at my recent
Perl script called "Master-Slave.pl".

It actually look into the syslog log file and search for any "Snort" related
lines. It then check the priority level and if it is equal to "1", it create
the appropriate rule into iptable to block the attack.

Every aspects is configurable, it`s dynamic! And it work so well...

It's available for free as an Open Source project onto SoureForge at:

        http://sourceforge.net/projects/master-slave/

More on my personnal website at:

        http://www3.sympatico.ca/lepetittuxervateur/index_.html

Click the button "Le projet Master-Slave". Please, use any browser then 
Explorer, as this one doesn't digest weel my graphic button as .png files ;-)


        For any question, feel free to ask me at yves.boisjoly () sympatico ca

On Thu, 21 Aug 2003, Matt Kettler wrote:

MK >At 12:10 PM 8/20/2003 -0400, Vkmobile () aol com wrote:
MK >>So is Snort an IDS or an IPS (Intrusion Prevention) or both?
MK >>
MK >>Also, how can an IDS be converted to an IPS? Can someone point me in the 
MK >>right direction such as an FAQ or some website where i can read and learn?
MK >
MK >Snort itself is an IDS, and specifically a NIDS (network IDS) as opposed to 
MK >a HIDS (host IDS). There are tools like inline-snort and snortsam which 
MK >make it into an IPS by allowing it to interact with a firewall to block 
MK >packets.
MK >
MK >Snortsam is quite powerful, but it acts slightly after the offending 
MK >packet, so it won't block the packet that caused the alert. It's capable of 
MK >reconfiguring a wide variety of firewalls, including hardware boxes like 
MK >the cisco PIX.
MK >
MK >inline-snort I don't know much about, but I think it interacts with the 
MK >linux kernel's IPTables/netfilter layer directly. As such, it can only work 
MK >on linux, but might be able to block packets in true realtime. (at the 
MK >expense of some network slowdown if your rules are complex).
MK >
MK >
MK >
MK >
MK >
MK >-------------------------------------------------------
MK >This SF.net email is sponsored by: VM Ware
MK >With VMware you can run multiple operating systems on a single machine.
MK >WITHOUT REBOOTING! Mix Linux / Windows / Novell virtual machines
MK >at the same time. Free trial click here:http://www.vmware.com/wl/offer/358/0
MK >_______________________________________________
MK >Snort-devel mailing list
MK >Snort-devel () lists sourceforge net
MK >https://lists.sourceforge.net/lists/listinfo/snort-devel
MK >

-- 

Yves Boisjoly, Administrateur systèmes UNIX
Yves.Boisjoly () sympatico ca





-------------------------------------------------------
This SF.net email is sponsored by: VM Ware
With VMware you can run multiple operating systems on a single machine.
WITHOUT REBOOTING! Mix Linux / Windows / Novell virtual machines
at the same time. Free trial click here:http://www.vmware.com/wl/offer/358/0
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: