[Snort-users] Advice on Snort Inline

Jason Brvenik jasonb at ...1935...
Fri Sep 8 10:28:09 EDT 2006


IIRC it goes something like this

alias ipsbr0 bonding

/etc/sysconfig/ifcfg-ipsbr0
DEVICE=ipsbr0
IPADDR=192.168.1.1
NETMASK=255.255.255.0
NETWORK=192.168.1.0
BROADCAST=192.168.1.255
ONBOOT=yes
BOOTPROTO=none
USERCTL=no

/etc/sysconfig/ifcfg-eth0
DEVICE=ips0
USERCTL=no
ONBOOT=yes
MASTER=ipsbr0
SLAVE=yes
BOOTPROTO=none

/etc/sysconfig/ifcfg-eth1
DEVICE=ips1
USERCTL=no
ONBOOT=yes
MASTER=ipsbr0
SLAVE=yes
BOOTPROTO=none


# /sbin/ifconfig ipsbr0 192.168.1.1 up
# /sbin/ifenslave ipsbr00 eth0
# /sbin/ifenslave ipsbr0 eth1



Eric Hines wrote:
> Joel,
> 
> You forgot to mention the cool part of being able to rename the devices
> from eth1 and eth2 to ips0 and ips1 :)
> 
> Mark: Edit the /etc/sysconfig/network-scripts/ifcfg-eth1 and ifcfg-eth2
> files, rename them to ifcfg-ips0 and ifcfg-ips1 and change the line in
> the files that says: DEVICE=eth1 and DEVICE=eth2 to DEVICE=ips0 and
> DEVICE=ips1 respectively
> 
> Although, I've been struggling with how to rename a bond0 interface to
> mgt0 ... :/ :)
> 
> 
> 
> Best Regards,
> 
> Eric S. Hines, GCIA, CISSP
> CEO, President, Chairman
> Applied Watch Technologies, LLC
> 
> 
> --------------------------------------------------
> 
> Eric S. Hines, GCIA, CISSP
> CEO, President, Chairman
> Applied Watch Technologies, LLC
> 
> --------------------------------------------------
> 
> Email:   eric.hines at ...8860...
> Address: 1095 Pingree Road
>          Suite 221
>          Crystal Lake, IL
>          60014
> Tel:     (877) 262-7593 ext:327
> Local:   (847) 854-5831
> Fax:     (847) 854-5106
> Web:     http://www.appliedwatch.com
> 
> --------------------------------------------------
> Security Management for the Open Source Enterprise
> 
> 
> 
> 
> 
> Joel Esler wrote:
>>> Mark,
>>>
>>> Thanks for emailing the list.
>>>
>>> 3 nics is the the way you want to go, one nic in, one nic out.  There
>>> are some configuration guides to Snort inline out there (try the Snort
>>> manual, it's a good starting point), all you have to do is basically
>>> have iptables forward everything to "QUEUE" then Snort reads from that
>>> QUEUE.
>>>
>>> Fedora Core 5 will work just fine, just make sure you are running the
>>> bare minimum of services on it, as you want your Snort box to be as fast
>>> as possible for inline mode.
>>>
>>> Joel
>>>
>>>
>>> Mark Rohrbeck wrote:
>>>>> Hi all, 
>>>>>
>>>>> I have 2 IDS systems in place and tuned to their specific networks, the next
>>>>> step I want to take is running them with Snort_inline. I am just a little
>>>>> unsure on how to do this. I would prefer to use Fedora Core 5 as the OS but
>>>>> open to suggestions. I mainly want to find out if I can run Snort_inline on
>>>>> one box? 
>>>>>
>>>>> The networks are pretty small with 10 - 50 XP PC's and server 2003 / 2000,
>>>>> we run Sonicwall firewalls and I have the Sensors behind the firewall. The
>>>>> picture I have in my mind is having 3 nics in the machine, 1 for Admin and
>>>>> the other 2 for Snort inline. Am I heading in the right direction here?
>>>>>
>>>>> Any advice / help GREATLY appreciated.
>>>>>
>>>>> Marklar
>>>>>
>>>>>
>>>>> -------------------------------------------------------------------------
>>>>> Using Tomcat but need to do more? Need to support web services, security?
>>>>> Get stuff done quickly with pre-integrated technology to make your job easier
>>>>> Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
>>>>> http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
>>>>> _______________________________________________
>>>>> Snort-users mailing list
>>>>> Snort-users at lists.sourceforge.net
>>>>> Go to this URL to change user options or unsubscribe:
>>>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>>>> Snort-users list archive:
>>>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>>>>
>>> --
>>> +---------------------------------------------------------------------+
>>> Joel Esler  	     Senior Security Consultant 	1-706-627-2101
>>> Sourcefire    Security for the /Real/ World -- http://www.sourcefire.com
>>> Snort - Open Source Network IPS/IDS -- http://www.snort.org
>>> GPG Key http://demo.sourcefire.com/jesler.pgp.key
>>> +---------------------------------------------------------------------+
> 
> -------------------------------------------------------------------------
> Using Tomcat but need to do more? Need to support web services, security?
> Get stuff done quickly with pre-integrated technology to make your job
> easier
> Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
> http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job
easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642


------------------------------------------------------------------------

_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




More information about the Snort-users mailing list