[Snort-users] new user - snort is not droping pacekts

lokesh.khanna at ...13040... lokesh.khanna at ...13040...
Tue Feb 15 01:23:19 EST 2005


Thanks for reply.

I remember in real secure or manhunt, I used to configure a port in
mirroring mode on switch and I put IDS on that port. All our traffic was
going through that mirrored port. Based on rules defined in IDS, it was
dropping / logging packets. 

If I understand correctly, do I need to pass all traffic through IDS
box. IDS will act as a router also. And based on alerts, IDS will make
modification in IPCHAIN and will drop or allow packets.
Or is there any other way out? How can I find out documents on this?



-----Original Message-----
From: Alex Butcher, ISC/ISYS [mailto:Alex.Butcher at ...11254...] 
Sent: 15 February 2005 10:06
To: Lokesh Khanna; snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] new user - snort is not droping pacekts

--On 15 February 2005 08:52 +0100 lokesh.khanna at ...13040... wrote:

> I have just installed Snort 2.3.0RC2 on Enterprise Redhat with ACID.
> I am using webmin to manage rules. I have used Manhunt and Real Secure
> before. I am using snort 1st time.
> I can see lots of Alert in ACID Console. But I do not understand how
> Snort will drop the packet if it is matching any rule.
> In Real Secure I used to define action for each rule. How can I do
> here?

Either use snort in inline (IPS) mode, and replace 'alert' with 'drop',
look into using something like SnortSam or Flexresp to run scripts which

add ACLs to your routers, or rules to your firewalls.

If you don't use snort in inline mode, it's a NIDS and will not
directly with the sessions that it sees.

> Is there any other tool to manage rules?

Snortcenter2, oinkmaster.

I prefer the latter, these days. Writing an oinkmaster rule to 
programmatically modify dozens of rules is quicker and easier than
a few hundred times with a greater chance of human error.

> LK

Best Regards,
Alex Butcher: Security & Integrity, Personal Computer Systems Group
Information Systems and Computing             GPG Key ID: F9B27DC9
GPG Fingerprint: D62A DD83 A0B8 D174 49C4 2849 832D 6C72 F9B2 7DC9

More information about the Snort-users mailing list