Snort mailing list archives

Re: Snort with AFPacket

From: James Lay <jlay () slave-tothe-box net>
Date: Tue, 04 Nov 2014 08:19:11 -0700

On 2014-11-04 08:14, Sec_Aficionado wrote:

It looks like snort as IPS is not going to work well with my setup.
Not without major reworking of stuff that is stable and has been
working for years.

The entire exercise, though, was a good learning experience for me. I
understand better snort's architecture and how the different pieces
fit together.

Thank you both gents for your help!

On Nov 4, 2014, at 7:28 AM, James Lay <jlay () slave-tothe-box net [3]>
wrote:

On Mon, 2014-11-03 at 21:26 -0500, waldo kitty wrote:

On 11/3/2014 8:56 PM, James Lay wrote:

On Mon, 2014-11-03 at 20:44 -0500, Sec Aficionado wrote:

Great, thank you for the explanation. NFQ was indeed my next

step

after trying AFPacket. AFPacket was easier to build, but I did

not

realize it might have serious side effects.


From the high level description of NFQ, it still works with

iptables,

but in a more efficient manner?


It's.....interesting. You have to be careful with where you

place your

iptables QUEUE rule for Snort to use. Because any rules placed

AFTER

the QUEUE rule are not looked at....as soon as the packet hits

the QUEUE

rule snort will either drop it as an IPS hit, or will pass it up

the

stack. So make sure you nmap the box once you put it in

place...don't

want any open surprises ;)


that's going to be fun to do... i'm extremely familiar with the
setup that the
OP is working with... the entire configuration is built by
iptables and getting
the queues in place is going to be early in the process /IF/ i'm
looking at
things properly... that also puts snort towards the end of all the
flow instead
of at the head of it unless i'm missing what you mean by "pass
[the packet] up
the stack"...


Yep..it's a hoot <face-wink.png> And good call on the multiple
NIC's waldo.

James


You bet....my personal belief is that Snort as an inline IPS on a 
dedicated, separate devices with several NIC's works excellent, but not 
on devices that provide routing/firewall services.

James

------------------------------------------------------------------------------
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

Snort with AFPacket Sec Aficionado (Nov 03)
- Re: Snort with AFPacket James Lay (Nov 03)
  - Re: Snort with AFPacket Sec_Aficionado (Nov 03)
    - Re: Snort with AFPacket James Lay (Nov 03)
    - Re: Snort with AFPacket Sec Aficionado (Nov 03)
    - Re: Snort with AFPacket James Lay (Nov 03)
    - Re: Snort with AFPacket waldo kitty (Nov 03)
    - Re: Snort with AFPacket James Lay (Nov 04)
    - Re: Snort with AFPacket Sec_Aficionado (Nov 04)
    - Re: Snort with AFPacket James Lay (Nov 04)
    - Re: Snort with AFPacket waldo kitty (Nov 04)
    - Re: Snort with AFPacket waldo kitty (Nov 03)