[Snort-users] IPS mode for snort

Mike Miller mike at ...16027...
Wed Jun 12 11:00:07 EDT 2013

Long story short, you gang two network interfaces into a pair, have one
network drop (in from Firewall) going to one interface, and the other
network drop (out to LAN), going to your router/switchfabric, running snort
in inline mode, you have additional actions in your snort rules, where
before you can Alert, log, etc...you can also Pass, Drop, reject, and sdrop
the packets, which prevent them from going from one interface to the other.

You can set snort up in inline mode, and so long as all the rules are set
to alert, it'll act like snort that's just sniffing traffic. However, if
the snort box goes offline, or you restart the snort processes, or snort
hangs YOU WILL LOSE NETWORK CONNECTIVITY if you're not using a fail-open
network card.

Gig Nics are $9 in the bargain bin. Fail open Gig NICs are closer to $2000,
so you can see why people who don't care for uptime might cut a corner or
two. Last I checked, there was no such thing as a fail-open Fiber NIC, that
may have changed. A quick google shows they exist, are $10k MSRP, and I'm
not sure HOW they work....because, you know, they use LIGHT and all that.
(It's an admitted gap in my knowledge)

1. Aforementioned fail-open behavior
2. Overly aggressive rulesets (if a Fase Positive is set to DROP or REJECT,
you could cause a lot of oddball activity)
3. Another troubleshooting layer for Network Support. (Is the failure at
the ISP, Firewall, Switchfabric...or Emerging Threats)
4. If the Bad Guy think's you're actively blacklisting based on IP, they
can craft packets to make you go deaf. (Like making sure your Snort box is
blocking access to the outside DNS server...because it received a UDP
packet that was bad, that it thinks came from the DNS server.)

That said, having a good, tuned, IDP is a GREAT way to cut down on your day
to day work. If it punts 98% of the sql injection attacks to your webfarm,
you can devote your time to other things.

On Wed, Jun 12, 2013 at 1:44 AM, Nomad Esst <noname.esst at ...131...> wrote:

> >>Hi list
> >>Sorry for these questions, I'm a new snort user.
> >>How can I enable IPS mode for snort? And is it possible to run snort in
> both IDS and IPS modes? How?
> >>Thanks in advance
> >I wouldn't recommend leaping into IPS mode as a new snort user without
> familiarizing yourself with the environment. It's a sharp sword that would
> be >easy to cut yourself on. Can you run IPS/IDS at the same time? Sure,
> but it may not be the optimal way to go.
> Thanks. Could you please tell me how can I have snort act as both IDS and
> IPS modes? What is the configuration?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130612/85c94fc6/attachment.html>

More information about the Snort-users mailing list