[Snort-users] IPS mode for snort

Mike Miller mike at ...16027...
Fri Jun 14 09:53:58 EDT 2013

Did you create a bridged virtual interface?


On Thu, Jun 13, 2013 at 12:08 AM, Nomad Esst <noname.esst at ...131...> wrote:

> Thanks. You know, I've just decided to use it in inline mode. I gave that
> a try with these configurations :
> Here is my custom snort.conf: (named snr.conf)
> config daq: ipfw
> config daq_mode: inline
> config policy_mode: inline
> output alert_full: stdout
> include snort.rule
> Here is a simple rule file: (name snort.rule)
> drop tcp any any -> any 23 (msg: "Drop telnet packets"; sid: 1000001)
> pass ip any any -> any any
> And here is what I do:
> snort -c /root/snr.conf -Q --alert-before-pass
> And I expect the ICMP packets to pass and telnet packets to drop. But both
> packet types pass! Am I missing something?
>   ------------------------------
>  *From:* Mike Miller <mike at ...16027...>
> *To:* Nomad Esst <noname.esst at ...131...>*Sent:* Wednesday, June 12, 2013
> 7:30 PM
> Long story short, you gang two network interfaces into a pair, have one
> network drop (in from Firewall) going to one interface, and the other
> network drop (out to LAN), going to your router/switchfabric, running snort
> in inline mode, you have additional actions in your snort rules, where
> before you can Alert, log, etc...you can also Pass, Drop, reject, and sdrop
> the packets, which prevent them from going from one interface to the other.
> You can set snort up in inline mode, and so long as all the rules are set
> to alert, it'll act like snort that's just sniffing traffic. However, if
> the snort box goes offline, or you restart the snort processes, or snort
> hangs YOU WILL LOSE NETWORK CONNECTIVITY if you're not using a fail-open
> network card.
> Gig Nics are $9 in the bargain bin. Fail open Gig NICs are closer to
> $2000, so you can see why people who don't care for uptime might cut a
> corner or two. Last I checked, there was no such thing as a fail-open Fiber
> NIC, that may have changed. A quick google shows they exist, are $10k MSRP,
> and I'm not sure HOW they work....because, you know, they use LIGHT and all
> that. (It's an admitted gap in my knowledge)
> Gotchas:
> 1. Aforementioned fail-open behavior
> 2. Overly aggressive rulesets (if a Fase Positive is set to DROP or
> REJECT, you could cause a lot of oddball activity)
> 3. Another troubleshooting layer for Network Support. (Is the failure at
> the ISP, Firewall, Switchfabric...or Emerging Threats)
> 4. If the Bad Guy think's you're actively blacklisting based on IP, they
> can craft packets to make you go deaf. (Like making sure your Snort box is
> blocking access to the outside DNS server...because it received a UDP
> packet that was bad, that it thinks came from the DNS server.)
> That said, having a good, tuned, IDP is a GREAT way to cut down on your
> day to day work. If it punts 98% of the sql injection attacks to your
> webfarm, you can devote your time to other things.
> On Wed, Jun 12, 2013 at 1:44 AM, Nomad Esst <noname.esst at ...131...> wrote:
> >>Hi list
> >>Sorry for these questions, I'm a new snort user.
> >>How can I enable IPS mode for snort? And is it possible to run snort in
> both IDS and IPS modes? How?
> >>Thanks in advance
> >I wouldn't recommend leaping into IPS mode as a new snort user without
> familiarizing yourself with the environment. It's a sharp sword that would
> be >easy to cut yourself on. Can you run IPS/IDS at the same time? Sure,
> but it may not be the optimal way to go.
> Thanks. Could you please tell me how can I have snort act as both IDS and
> IPS modes? What is the configuration?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130614/2935860a/attachment.html>

More information about the Snort-users mailing list