[Snort-users] Question for the Guru's
john at ...15436...
Mon Nov 14 11:55:55 EST 2011
We have been a snort users for a long while now, and we have always used
it as a IDS, in alert mode only, with a mirrored port.
Our typical setup is like:
Internet -> firewall - lan
snort eth 1
Recently our team has started to research a more proactive approach to
using snort where we can drop packets on offending rules.
So the question to the group would be:
Requirements: Snort to be inline, bridged, and have the ability to drop
Internet -> snort eth1 -> snort eth2 -> firewall -> lan
What is the best way to approach dropping packets for offending rules.
Just plain Snort? (Does 188.8.131.52 support inline with the ability to drop?)
Snort with Samsnort?
Snort inline (though doesn't look like it is maintained much anymore)
We are wanting to do inline mode with a subscription to rules but before
we purchase the rules, we need a proof of concept first.
We would like to use the latest snort-2.9.1.x branch if we can.
Thanks in advance!
More information about the Snort-users