[Snort-users] Question for the Guru's

John Liss john at ...15436...
Mon Nov 14 11:55:55 EST 2011


Hey Gang,

We have been a snort users for a long while now, and we have always used 
it as a IDS, in alert mode only, with a mirrored port.
Our typical setup is like: 
http://www.snort.org/assets/158/013-snortinstallguide2912.pdf
Internet -> firewall - lan
|
                         snort eth 1

Recently our team has started to research a more proactive approach to 
using snort where we can drop packets on offending rules.

So the question to the group would be:

Requirements:  Snort to be inline, bridged, and have the ability to drop 
bad traffic.
Internet -> snort eth1 -> snort eth2 -> firewall -> lan

What is the best way to approach dropping packets for offending rules.

Just plain Snort?  (Does 2.9.1.2 support inline with the ability to drop?)
Snort with Samsnort?
Snort inline (though doesn't look like it is maintained much anymore)

We are wanting to do inline mode with a subscription to rules but before 
we purchase the rules, we need a proof of concept first.

We would like to use the latest snort-2.9.1.x branch if we can.

Thanks in advance!

-John








More information about the Snort-users mailing list