Snort mailing list archives
Re: Question for the Guru's
From: carlopmart <carlopmart () gmail com>
Date: Mon, 14 Nov 2011 19:17:01 +0100
On 11/14/2011 07:01 PM, NA wrote:
On 11/14/11 9:21 AM, carlopmart wrote:On 11/14/2011 05:55 PM, John Liss wrote:Hey Gang, We have been a snort users for a long while now, and we have always used it as a IDS, in alert mode only, with a mirrored port. Our typical setup is like: http://www.snort.org/assets/158/013-snortinstallguide2912.pdf Internet -> firewall - lan | snort eth 1 Recently our team has started to research a more proactive approach to using snort where we can drop packets on offending rules. So the question to the group would be: Requirements: Snort to be inline, bridged, and have the ability to drop bad traffic. Internet -> snort eth1 -> snort eth2 -> firewall -> lan What is the best way to approach dropping packets for offending rules. Just plain Snort? (Does 2.9.1.2 support inline with the ability to drop?) Snort with Samsnort? Snort inline (though doesn't look like it is maintained much anymore) We are wanting to do inline mode with a subscription to rules but before we purchase the rules, we need a proof of concept first. We would like to use the latest snort-2.9.1.x branch if we can. Thanks in advance! -JohnSee daq docs about af-packet and nfq ...If I may jump in here to forward the conversation, does anyone have an opinion of which is better in-line, af-packet or nfq? I am currently running Snort inline using af-packet (using Gentoo) and NFQ was not originally available in the 2.9.x.x version. -Bill
Inline is a dead line ... To work with snort as an IPS you need to use af-packet or nfq. Better?? Depends on your needs, your network topology and your experience with snort. -- CL Martinez carlopmart {at} gmail {d0t} com ------------------------------------------------------------------------------ RSA(R) Conference 2012 Save $700 by Nov 18 Register now http://p.sf.net/sfu/rsa-sfdev2dev1 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Question for the Guru's John Liss (Nov 14)
- Re: Question for the Guru's Joel Esler (Nov 14)
- Re: Question for the Guru's carlopmart (Nov 14)
- Re: Question for the Guru's NA (Nov 14)
- Re: Question for the Guru's carlopmart (Nov 14)
- Re: Question for the Guru's John Liss (Nov 14)
- Re: Question for the Guru's NA (Nov 14)
- Re: Question for the Guru's John Liss (Nov 14)
- Re: Question for the Guru's John Liss (Nov 16)
- Re: Question for the Guru's Joel Esler (Nov 17)
- Re: Question for the Guru's NA (Nov 14)