[Snort-users] snort deployment

MAEDA snomrpt at ...13464...
Mon Aug 29 19:47:14 EDT 2005

You should run snort as inline-mode (see manual version 2.3.x).
In inline-mode, snort takes packet informations from target QUEUE of iptables.
So, you make bridge between two NICs, and assign QUEUE to FORWARD-chain target.

# ifconfig  eth0  up
# ifconfig  eth1  up

# modprobe  bridge
# brctl  addbr br0
# brctl  addif br0 eth0
# brctl  addif br0 eth1

# modprobe  ip_queue
# iptables -A FORWARD -j QUEUE

# snort -QD

> Im building a linux box with to nics I want to put this box between my pix 
> and switch. So I can for the IDS on all that traffic coming in and out of 
> our lan. I wanted to know should I setup this up in a bridge mode because I 
> dont have a tap.
> Thanks adv.

