[Snort-users] Question for the Guru's

carlopmart carlopmart at ...11827...
Mon Nov 14 13:17:01 EST 2011

On 11/14/2011 07:01 PM, NA wrote:
> On 11/14/11 9:21 AM, carlopmart wrote:
>> On 11/14/2011 05:55 PM, John Liss wrote:
>>> Hey Gang,
>>> We have been a snort users for a long while now, and we have always used
>>> it as a IDS, in alert mode only, with a mirrored port.
>>> Our typical setup is like:
>>> http://www.snort.org/assets/158/013-snortinstallguide2912.pdf
>>> Internet ->   firewall - lan
>>> |
>>>                            snort eth 1
>>> Recently our team has started to research a more proactive approach to
>>> using snort where we can drop packets on offending rules.
>>> So the question to the group would be:
>>> Requirements:  Snort to be inline, bridged, and have the ability to drop
>>> bad traffic.
>>> Internet ->   snort eth1 ->   snort eth2 ->   firewall ->   lan
>>> What is the best way to approach dropping packets for offending rules.
>>> Just plain Snort?  (Does support inline with the ability to drop?)
>>> Snort with Samsnort?
>>> Snort inline (though doesn't look like it is maintained much anymore)
>>> We are wanting to do inline mode with a subscription to rules but before
>>> we purchase the rules, we need a proof of concept first.
>>> We would like to use the latest snort-2.9.1.x branch if we can.
>>> Thanks in advance!
>>> -John
>> See daq docs about af-packet and nfq ...
> If I may jump in here to forward the conversation, does anyone have an
> opinion of which is better in-line, af-packet or nfq?
> I am currently running Snort inline using af-packet (using Gentoo) and
> NFQ was not originally available in the 2.9.x.x version.
> -Bill

Inline is a dead line ... To work with snort as an IPS you need to use 
af-packet or nfq. Better?? Depends on your needs, your network topology 
and your experience with snort.

CL Martinez
carlopmart {at} gmail {d0t} com

More information about the Snort-users mailing list