[Snort-users] Advice on Snort Inline

Eric Hines eric.hines at ...8860...
Fri Sep 8 10:05:47 EDT 2006


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Joel,

You forgot to mention the cool part of being able to rename the devices
from eth1 and eth2 to ips0 and ips1 :)

Mark: Edit the /etc/sysconfig/network-scripts/ifcfg-eth1 and ifcfg-eth2
files, rename them to ifcfg-ips0 and ifcfg-ips1 and change the line in
the files that says: DEVICE=eth1 and DEVICE=eth2 to DEVICE=ips0 and
DEVICE=ips1 respectively

Although, I've been struggling with how to rename a bond0 interface to
mgt0 ... :/ :)



Best Regards,

Eric S. Hines, GCIA, CISSP
CEO, President, Chairman
Applied Watch Technologies, LLC


- --------------------------------------------------

Eric S. Hines, GCIA, CISSP
CEO, President, Chairman
Applied Watch Technologies, LLC

- --------------------------------------------------

Email:   eric.hines at ...8860...
Address: 1095 Pingree Road
         Suite 221
         Crystal Lake, IL
         60014
Tel:     (877) 262-7593 ext:327
Local:   (847) 854-5831
Fax:     (847) 854-5106
Web:     http://www.appliedwatch.com

- --------------------------------------------------
Security Management for the Open Source Enterprise





Joel Esler wrote:
> Mark,
> 
> Thanks for emailing the list.
> 
> 3 nics is the the way you want to go, one nic in, one nic out.  There
> are some configuration guides to Snort inline out there (try the Snort
> manual, it's a good starting point), all you have to do is basically
> have iptables forward everything to "QUEUE" then Snort reads from that
> QUEUE.
> 
> Fedora Core 5 will work just fine, just make sure you are running the
> bare minimum of services on it, as you want your Snort box to be as fast
> as possible for inline mode.
> 
> Joel
> 
> 
> Mark Rohrbeck wrote:
>>> Hi all, 
>>>
>>> I have 2 IDS systems in place and tuned to their specific networks, the next
>>> step I want to take is running them with Snort_inline. I am just a little
>>> unsure on how to do this. I would prefer to use Fedora Core 5 as the OS but
>>> open to suggestions. I mainly want to find out if I can run Snort_inline on
>>> one box? 
>>>
>>> The networks are pretty small with 10 - 50 XP PC's and server 2003 / 2000,
>>> we run Sonicwall firewalls and I have the Sensors behind the firewall. The
>>> picture I have in my mind is having 3 nics in the machine, 1 for Admin and
>>> the other 2 for Snort inline. Am I heading in the right direction here?
>>>
>>> Any advice / help GREATLY appreciated.
>>>
>>> Marklar
>>>
>>>
>>> -------------------------------------------------------------------------
>>> Using Tomcat but need to do more? Need to support web services, security?
>>> Get stuff done quickly with pre-integrated technology to make your job easier
>>> Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
>>> http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
>>> _______________________________________________
>>> Snort-users mailing list
>>> Snort-users at lists.sourceforge.net
>>> Go to this URL to change user options or unsubscribe:
>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>> Snort-users list archive:
>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>>
> 
> --
> +---------------------------------------------------------------------+
> Joel Esler  	     Senior Security Consultant 	1-706-627-2101
> Sourcefire    Security for the /Real/ World -- http://www.sourcefire.com
> Snort - Open Source Network IPS/IDS -- http://www.snort.org
> GPG Key http://demo.sourcefire.com/jesler.pgp.key
> +---------------------------------------------------------------------+

- -------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job
easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFFAXi71va6QYTV0EMRAsOcAJ46uoC1sAQRelViCZn4kU7frmaueQCfaAOu
XxsMLEGX8UI+zeWjQn2g5Ww=
=n3yt
-----END PGP SIGNATURE-----
-------------- next part --------------
A non-text attachment was scrubbed...
Name: eric.hines.vcf
Type: text/x-vcard
Size: 372 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20060908/6d2951b9/attachment.vcf>


More information about the Snort-users mailing list