Snort mailing list archives
Re: Question for the Guru's
From: NA <dustypath () comcast net>
Date: Mon, 14 Nov 2011 10:01:44 -0800
On 11/14/11 9:21 AM, carlopmart wrote:
On 11/14/2011 05:55 PM, John Liss wrote:Hey Gang, We have been a snort users for a long while now, and we have always used it as a IDS, in alert mode only, with a mirrored port. Our typical setup is like: http://www.snort.org/assets/158/013-snortinstallguide2912.pdf Internet -> firewall - lan | snort eth 1 Recently our team has started to research a more proactive approach to using snort where we can drop packets on offending rules. So the question to the group would be: Requirements: Snort to be inline, bridged, and have the ability to drop bad traffic. Internet -> snort eth1 -> snort eth2 -> firewall -> lan What is the best way to approach dropping packets for offending rules. Just plain Snort? (Does 2.9.1.2 support inline with the ability to drop?) Snort with Samsnort? Snort inline (though doesn't look like it is maintained much anymore) We are wanting to do inline mode with a subscription to rules but before we purchase the rules, we need a proof of concept first. We would like to use the latest snort-2.9.1.x branch if we can. Thanks in advance! -JohnSee daq docs about af-packet and nfq ...
If I may jump in here to forward the conversation, does anyone have an opinion of which is better in-line, af-packet or nfq? I am currently running Snort inline using af-packet (using Gentoo) and NFQ was not originally available in the 2.9.x.x version. -Bill ------------------------------------------------------------------------------ RSA(R) Conference 2012 Save $700 by Nov 18 Register now http://p.sf.net/sfu/rsa-sfdev2dev1 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Question for the Guru's John Liss (Nov 14)
- Re: Question for the Guru's Joel Esler (Nov 14)
- Re: Question for the Guru's carlopmart (Nov 14)
- Re: Question for the Guru's NA (Nov 14)
- Re: Question for the Guru's carlopmart (Nov 14)
- Re: Question for the Guru's John Liss (Nov 14)
- Re: Question for the Guru's NA (Nov 14)
- Re: Question for the Guru's John Liss (Nov 14)
- Re: Question for the Guru's John Liss (Nov 16)
- Re: Question for the Guru's Joel Esler (Nov 17)
- Re: Question for the Guru's NA (Nov 14)