Snort& Intrusion Prevention

["Maetzky, Steffen (Extern)" <Steffen.Maetzky () gedas de>]

Hi,

I'd like to compare some possabilities of using snort as IPS.
I know the following plugins/ patches:

Flexresp/ flexresp2, Snort-inline, Guardian, Snortsam

I'd like to know if my understanding of them is right or not
and if there are further advantages, disadvantages I have not listed and
which depends directly to the architecture of one of the systems. 

My understanding of them is the following:

1. Snort is getting in "Inline-Mode" (what does "Inline-Mode" mean?) if I
use flexresp, flexresp2 or snort-inline which means that snort can block
activly. 

Advantage:
-> only the sessions is closed which is including a bad paket
-> no DoS over a special period like in other systems, only the bad paket is
blocked
-> no changes to the active firewall are made

Disadvantage:
-> snort drops packets during it blocks a session 

2. If I use guardian or snortsam snort is still passiv and doesn't drop
packets but sessions are closed over a special period.
Guardian and snortsam reconfigure an active firewall directly.
-> DoS possible

Please, tell me what you know

Steffen



 


-------------------------------------------------------
This SF.Net email is sponsored by the new InstallShield X.
> From Windows to Linux, servers to mobile, InstallShield X is the one
installation-authoring solution that does it all. Learn more and
evaluate today! http://www.installshield.com/Dev2Dev/0504
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users