[Snort-users] IPS mode for snort

Nomad Esst noname.esst at ...131...
Thu Jun 13 01:59:35 EDT 2013


Thanks. You know, I've just decided to use it in inline mode. I gave that a try with these configurations :
Here is my custom snort.conf: (named snr.conf)
config daq: ipfw config daq_mode: inline config policy_mode: inline output alert_full: stdout include snort.rule

Here is a simple rule file: (named sort.rule)
drop tcp any any -> any 23 (msg: "Drop telnet packets"; sid: 1000001) pass ip any any -> any any

And here is what I do:
snort -c /root/snr.conf -Q --alert-before-pass
And I expect the ICMP packets to pass and telnet packets to drop. But both packet types pass! Am I missing something?


________________________________
 From: Mike Miller <mike at ...16027...>
To: Nomad Esst <noname.esst at ...131...> 
Sent: Wednesday, June 12, 2013 7:30 PM
 


Long story short, you gang two network interfaces into a pair, have one network drop (in from Firewall) going to one interface, and the other network drop (out to LAN), going to your router/switchfabric, running snort in inline mode, you have additional actions in your snort rules, where before you can Alert, log, etc...you can also Pass, Drop, reject, and sdrop the packets, which prevent them from going from one interface to the other. 

You can set snort up in inline mode, and so long as all the rules are set to alert, it'll act like snort that's just sniffing traffic. However, if the snort box goes offline, or you restart the snort processes, or snort hangs YOU WILL LOSE NETWORK CONNECTIVITY if you're not using a fail-open network card. 

Gig Nics are $9 in the bargain bin. Fail open Gig NICs are closer to $2000, so you can see why people who don't care for uptime might cut a corner or two. Last I checked, there was no such thing as a fail-open Fiber NIC, that may have changed. A quick google shows they exist, are $10k MSRP, and I'm not sure HOW they work....because, you know, they use LIGHT and all that. (It's an admitted gap in my knowledge)

Gotchas:
1. Aforementioned fail-open behavior
2. Overly aggressive rulesets (if a Fase Positive is set to DROP or REJECT, you could cause a lot of oddball activity)
3. Another troubleshooting layer for Network Support. (Is the failure at the ISP, Firewall, Switchfabric...or Emerging Threats)
4. If the Bad Guy think's you're actively blacklisting based on IP, they can craft packets to make you go deaf. (Like making sure your Snort box is blocking access to the outside DNS server...because it received a UDP packet that was bad, that it thinks came from the DNS server.)

That said, having a good, tuned, IDP is a GREAT way to cut down on your day to day work. If it punts 98% of the sql injection attacks to your webfarm, you can devote your time to other things. 







On Wed, Jun 12, 2013 at 1:44 AM, Nomad Esst <noname.esst at ...131...> wrote:

>>Hi list
>
>
>
>>>Sorry for these questions, I'm a new snort user.
>>>How can I enable IPS mode for snort? And is it possible to run snort in both IDS and IPS modes? How? 
>
>
>>>Thanks in advance
>
>
>>I wouldn't recommend leaping into IPS mode as a new snort user without familiarizing yourself with the environment. It's a sharp sword that would be >easy to cut yourself on. Can you run IPS/IDS at the same time? Sure, but it may not be the optimal way to go. 
>
>
>Thanks. Could you please tell me how can I have snort act as both IDS and IPS modes? What is the configuration?
>
>
>
>
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130612/48d2552d/attachment.html>


More information about the Snort-users mailing list