[Snort-users] Question for the Guru's

NA dustypath at ...5068...
Mon Nov 14 13:01:44 EST 2011


On 11/14/11 9:21 AM, carlopmart wrote:
> On 11/14/2011 05:55 PM, John Liss wrote:
>> Hey Gang,
>>
>> We have been a snort users for a long while now, and we have always used
>> it as a IDS, in alert mode only, with a mirrored port.
>> Our typical setup is like:
>> http://www.snort.org/assets/158/013-snortinstallguide2912.pdf
>> Internet ->  firewall - lan
>> |
>>                           snort eth 1
>>
>> Recently our team has started to research a more proactive approach to
>> using snort where we can drop packets on offending rules.
>>
>> So the question to the group would be:
>>
>> Requirements:  Snort to be inline, bridged, and have the ability to drop
>> bad traffic.
>> Internet ->  snort eth1 ->  snort eth2 ->  firewall ->  lan
>>
>> What is the best way to approach dropping packets for offending rules.
>>
>> Just plain Snort?  (Does 2.9.1.2 support inline with the ability to drop?)
>> Snort with Samsnort?
>> Snort inline (though doesn't look like it is maintained much anymore)
>>
>> We are wanting to do inline mode with a subscription to rules but before
>> we purchase the rules, we need a proof of concept first.
>>
>> We would like to use the latest snort-2.9.1.x branch if we can.
>>
>> Thanks in advance!
>>
>> -John
>>
> See daq docs about af-packet and nfq ...
>
>
If I may jump in here to forward the conversation, does anyone have an
opinion of which is better in-line, af-packet or nfq?
I am currently running Snort inline using af-packet (using Gentoo) and
NFQ was not originally available in the 2.9.x.x version.
-Bill




More information about the Snort-users mailing list