[Snort-users] Question for the Guru's

carlopmart carlopmart at ...11827...
Mon Nov 14 12:21:01 EST 2011


On 11/14/2011 05:55 PM, John Liss wrote:
> Hey Gang,
>
> We have been a snort users for a long while now, and we have always used
> it as a IDS, in alert mode only, with a mirrored port.
> Our typical setup is like:
> http://www.snort.org/assets/158/013-snortinstallguide2912.pdf
> Internet ->  firewall - lan
> |
>                           snort eth 1
>
> Recently our team has started to research a more proactive approach to
> using snort where we can drop packets on offending rules.
>
> So the question to the group would be:
>
> Requirements:  Snort to be inline, bridged, and have the ability to drop
> bad traffic.
> Internet ->  snort eth1 ->  snort eth2 ->  firewall ->  lan
>
> What is the best way to approach dropping packets for offending rules.
>
> Just plain Snort?  (Does 2.9.1.2 support inline with the ability to drop?)
> Snort with Samsnort?
> Snort inline (though doesn't look like it is maintained much anymore)
>
> We are wanting to do inline mode with a subscription to rules but before
> we purchase the rules, we need a proof of concept first.
>
> We would like to use the latest snort-2.9.1.x branch if we can.
>
> Thanks in advance!
>
> -John
>

See daq docs about af-packet and nfq ...


-- 
CL Martinez
carlopmart {at} gmail {d0t} com




More information about the Snort-users mailing list