[Snort-users] Question about Inline mode

Albert E. Whale aewhale at ...6483...
Sun Dec 4 21:36:07 EST 2011


Thanks, I completely left out the Management interface.  I still have
further questions, please see below.

On 12/4/2011 5:55 PM, NA wrote:
> On 12/4/11 12:48 PM, Albert E. Whale wrote:
>> I have been asked to develop an IDS/IPS solution which can span
>> multiple zones behind a firewall.
>>
>> While I have reservations in implementing a single box to become an
>> active sensor for IDS/IPS solutions on the networks.
>>
>>  In addition to believing that this is the wrong strategy to use in
>> protecting internal networks (I am supposed to protect 4 internal
>> networks), I am not certain of the correct configuration of the host
>> server.
>>
>> In an Inline mode, are the network interfaces linked?  What network
>> configuration is required for IDS/IPS or inline configuration?
> Inline mode is done via a DAQ module. Inline is supported by at least
> the NFQ and Afpacket DAQ modules. This is new to Snort as of the 2.9.x.x
> versions. You actually need 3 interfaces as traffic goes across, for
> example setting your sensor to detect across eth0:eth1 and the eth2 as
> the management interface.  
Thank you, I have found the following pages:

http://www.snort.org/snort-downloads/external-daq/
http://vrt-blog.snort.org/2010/08/snort-29-essentials-daq.html

Helpful as they were, I still have the following questions.

When using either NFQ or the DAQ modules, are the interfaces bonded
together?  I completely understand that the Management interface is
assigned an IP Address, a gateway and a network (subnet mask).

What happens to the two interfaces used in inline mode?  If I place the
sensor inline, are the interfaces numbered?  DO I need to fully provide
networking (routing) between the interfaces?
>
>> Does the inline mode require two interfaces?
>>
>> Can Snort support multiple networks, simultaneously?  Does this reduce
>> the throughput capability of the monitor?
> Multiple networks can be supported but of course band width is the
> consideration here along with the strength of the Snort sensor. There
> are better people on this list to answer than me but depending on the
> size/bandwidth considerations you may want to consider using 4 sensors
> that report to a main server for analysis. Like I said, others on this
> list can help there as I have no experience here. Search the Google
> Groups list too.
Four sensors and a Main Server is an exceptional idea.  Thank you for that.

>From reading the above sites listed, it would seem that afpacket is the
method to use for inline use.  Is there a consensus here?

> Hope this serves at least as a start to answer your questions.
> Bill
>
> snip
>


-- 

Albert E. Whale, CHS CISA CISSP
Senior Technology & Security Director
*ABS Computer Technology, Inc. *
412-635-7488 ext 100
aewhale at ...6483... <mailto:aewhale at ...6483...>
www.ABS-CompTech.com <http://www.ABS-CompTech.com>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20111204/c42e5486/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: aewhale.vcf
Type: text/x-vcard
Size: 378 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20111204/c42e5486/attachment.vcf>


More information about the Snort-users mailing list