[Snort-users] Question for the Guru's

Joel Esler jesler at ...1935...
Mon Nov 14 12:28:57 EST 2011


On Nov 14, 2011, at 11:55 AM, John Liss wrote:

> We have been a snort users for a long while now, and we have always used 
> it as a IDS, in alert mode only, with a mirrored port.
> Our typical setup is like: 
> http://www.snort.org/assets/158/013-snortinstallguide2912.pdf
> Internet -> firewall - lan
> |
>                         snort eth 1
> 
> Recently our team has started to research a more proactive approach to 
> using snort where we can drop packets on offending rules.
> 
> So the question to the group would be:
> 
> Requirements:  Snort to be inline, bridged, and have the ability to drop 
> bad traffic.
> Internet -> snort eth1 -> snort eth2 -> firewall -> lan
> 
> What is the best way to approach dropping packets for offending rules.
> 
> Just plain Snort?  (Does 2.9.1.2 support inline with the ability to drop?)

Yes.  You need to ensure that DAQ compiles in the support for inline.  Please review the DAQ documentation.

Then it's a simple matter of starting Snort with an additional -Q on the command line.

Then you can change a rule from "alert" to "drop", and there you have it.  Pretty simplistic explanation, but check out the DAQ documentation first.

> Snort with Samsnort?

Not real time.

> Snort inline (though doesn't look like it is maintained much anymore)
> 
Dead.


> We are wanting to do inline mode with a subscription to rules but before 
> we purchase the rules, we need a proof of concept first.
> 
> We would like to use the latest snort-2.9.1.x branch if we can.


--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire



More information about the Snort-users mailing list