[Snort-users] new user - snort is not droping pacekts

Alex Butcher, ISC/ISYS Alex.Butcher at ...11254...
Tue Feb 15 01:35:25 EST 2005

--On 15 February 2005 10:23 +0100 lokesh.khanna at ...13040... wrote:

> I remember in real secure or manhunt, I used to configure a port in
> mirroring mode on switch and I put IDS on that port. All our traffic was
> going through that mirrored port. Based on rules defined in IDS, it was
> dropping / logging packets.

Logging, yes, but those products would only have been dropping (i.e. 
blocking, rejecting) packets if they were interacting with a firewall or 
router in some way (or they were running in some kind of IPS mode, which 
you seem to indicate was not the case).

> If I understand correctly, do I need to pass all traffic through IDS
> box.

If you're using inline mode, yes, the snort machine will be acting as a 
router (actually an Intrusion _Prevention_ System or IPS). See 
<http://snort-inline.sourceforge.net/> and README.INLINE for more info on 
inline mode. Note that 2.3.0 integrates the inline stuff IIRC.

> IDS will act as a router also. And based on alerts, IDS will make
> modification in IPCHAIN and will drop or allow packets.

See the above site for the details.

> Or is there any other way out? How can I find out documents on this?

<http://www.snortsam.net/> and README.FLEXRESP and README.FLEXRESP2 in the 
snort docs.

> Cordially,
> LK

Best Regards,
Alex Butcher: Security & Integrity, Personal Computer Systems Group
Information Systems and Computing             GPG Key ID: F9B27DC9
GPG Fingerprint: D62A DD83 A0B8 D174 49C4 2849 832D 6C72 F9B2 7DC9

More information about the Snort-users mailing list