[Snort-users] Mirroring port

waldo kitty wkitty42 at ...14940...
Thu Jul 18 11:28:33 EDT 2013


On 7/18/2013 09:42, Abid Ayoub wrote:
> Hello
>
> I want to manage my small network. i have coonected snort to the mirror port of
> the switch .
> For the sniff , ok . But when i want tio block a  traffic like tcp traffic,  i
> can not.
> is there a solution for that?

yes... what you want is IPS (or inline mode) and not just a (hidden) IDS 
sniffer... that means at least two ports on the snort box with traffic entering 
on one port, traversing thru snort and then out the other port...

uncle google found the following with a search for "snort IPS inline how"

https://www.ibm.com/developerworks/community/blogs/58e72888-6340-46ac-b488-d31aa4058e9c/entry/august_8_2012_12_01_pm6?lang=en

or shortened

http://tinyurl.com/o2cjhdp

> Can i sniff from an interface (eth0) and apply instruction from another
> interface (eth1)?

there is that possibility as well... the other interface is known as an admin 
interface, IIRC... in IPS inline mode, you would have three ports in your snort 
box...

-- 
NOTE: No off-list assistance is given without prior approval.
       Please keep mailing list traffic on the list unless
       private contact is specifically requested and granted.




More information about the Snort-users mailing list