Snort mailing list archives
Re: don't interrupt traffic when snort inline crashes
From: "Guillaume Daleux" <guillaume.daleux () abovesecurity com>
Date: Sat, 14 Apr 2012 13:22:07 -0400
Hi Kiet, This is my configuration for my IPS, I have 3 interfaces : - eth6 and eth7 which listens and sends packets - eth4 for managing When I launch snort, my snort run correctly and the bridge forwards packet but when I stop snort, my packets are not forwarded. So, I decided to add a system bridge with commands : - brctl addbr bridge0 - brctl addif bridge0 eth6 - brctl addif bridge0 eth7 - ifconfig bridge0 up - ifconfig eth6 up - ifconfig eth7 up My bridge worked without snort but when I launched snort it didn't works and it was impossible to manage my IPS with eth4. When I remove my system bridge and launch snort it works... Is there a conflict between snort bridge and system bridge ? Thanks for your help, Guillaume -----Original Message----- From: Kiet Tran [mailto:kietstar () gmail com] Sent: Saturday, April 14, 2012 12:16 PM To: Guillaume Daleux Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] don't interrupt traffic when snort inline crashes Hi Guillaume; In normal operating condition, your system running snort should be configured and behaved like a wire connecting the networking traffic on both side. This means forwarding packets should look exactly the same as when they enter your system. This is sometimes called a transparent bridge. ie, no vlan translation, no MAC address translation, etc. Then, when the system fails into using the open NIC, network packets will continued to be identical as if the snort filter were still active. Except no filtering, the networking equipments connected on both sides of the snort system will be seeing the same packets as if the snort system was active. Hope this helps. Regards, Kiet On 4/13/2012 9:06 PM, Guillaume Daleux wrote:
Hi all, We decided to use snort inline as an IPS. We will deploy snort inline on network and we have one question about
what will happen when machine or snort will crash.
- If our machine crashes, we have a fail open card so traffic will be
forward. (of course without IPS but we think it's better to not interrupt network traffic)
- My question is if snort crashes, the bridge between our interface
will be broken but the system will be up so fail open card will not work as a bridge and we will lost every packets.
How could we resolve this issue to not interrupt traffic after snort
crashes ?
Thanks for your answer. Guillaume DALEUX tel : 450.430.8166 x2279 | guillaume.daleux () abovesecurity com sans frais / toll free : 1.866.430.8166 | fax: 450.430.1858 Managed Security Services ? Information Risk Management Surveillance ? Gestion Des Risques Informationnels 203 - 1919 boul. Lionel-Bertrand ? Boisbriand ? QC ? Canada ? J7H 1N8 www.abovesecurite.com
------------------------------------------------------------------------ ------
For Developers, A Lot Can Happen In A Second. Boundary is the first to Know...and Tell You. Monitor Your Applications in Ultra-Fine Resolution. Try it FREE! http://p.sf.net/sfu/Boundary-d2dvs2 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest
Snort news!
------------------------------------------------------------------------------ For Developers, A Lot Can Happen In A Second. Boundary is the first to Know...and Tell You. Monitor Your Applications in Ultra-Fine Resolution. Try it FREE! http://p.sf.net/sfu/Boundary-d2dvs2 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- don't interrupt traffic when snort inline crashes Guillaume Daleux (Apr 13)
- Re: don't interrupt traffic when snort inline crashes Kiet Tran (Apr 14)
- Re: don't interrupt traffic when snort inline crashes Guillaume Daleux (Apr 14)
- Re: don't interrupt traffic when snort inline crashes Jaime Nebrera (Apr 16)
- Re: don't interrupt traffic when snort inline crashes Kiet Tran (Apr 14)