[Snort-users] snort deployment

David Klotz bucky at ...242...
Tue Aug 30 12:07:27 EDT 2005

On Tue, 30 Aug 2005, MAEDA wrote:

> You should run snort as inline-mode (see manual version 2.3.x).
> In inline-mode, snort takes packet informations from target QUEUE of iptables.
> So, you make bridge between two NICs, and assign QUEUE to FORWARD-chain target.

Wouldn't inline just add another layer of complexity when it's not needed?  I
would go with the switch and the span port, unless you have some specific need
for inline, such as connection killing or any of the IPS style functionality.
But I'm no expert...

-bucky at ...242...

