[Snort-users] Question for the Guru's
dustypath at ...5068...
Mon Nov 14 13:01:44 EST 2011
On 11/14/11 9:21 AM, carlopmart wrote:
> On 11/14/2011 05:55 PM, John Liss wrote:
>> Hey Gang,
>> We have been a snort users for a long while now, and we have always used
>> it as a IDS, in alert mode only, with a mirrored port.
>> Our typical setup is like:
>> Internet -> firewall - lan
>> snort eth 1
>> Recently our team has started to research a more proactive approach to
>> using snort where we can drop packets on offending rules.
>> So the question to the group would be:
>> Requirements: Snort to be inline, bridged, and have the ability to drop
>> bad traffic.
>> Internet -> snort eth1 -> snort eth2 -> firewall -> lan
>> What is the best way to approach dropping packets for offending rules.
>> Just plain Snort? (Does 184.108.40.206 support inline with the ability to drop?)
>> Snort with Samsnort?
>> Snort inline (though doesn't look like it is maintained much anymore)
>> We are wanting to do inline mode with a subscription to rules but before
>> we purchase the rules, we need a proof of concept first.
>> We would like to use the latest snort-2.9.1.x branch if we can.
>> Thanks in advance!
> See daq docs about af-packet and nfq ...
If I may jump in here to forward the conversation, does anyone have an
opinion of which is better in-line, af-packet or nfq?
I am currently running Snort inline using af-packet (using Gentoo) and
NFQ was not originally available in the 2.9.x.x version.
More information about the Snort-users