[Snort-users] Barnyard2 and Snortsam for 2.9.7.0

Sec_Aficionado secaficionado at ...11827...
Mon Dec 15 10:11:43 EST 2014


Thank you all for your replies.

@Shirkdog: what you said is what I feared but I was hoping for a different answer :) 
It makes sense to move in the direction snort is going, but for small biz/soho/home networks sometimes a dedicated box for IPS is still too much trouble.

@Ian: can you please give me more technical details, like versions used or where you are getting your sources from? Are you using barnyard2 as the output plug-in or something more elaborate?

@Joel, snort can definitely drop packages and act as IPS, but putting it inline breaks my firewall/router configuration. That's why I'm exploring options with an external agent/daemon directing the firewall to block/drop traffic. Long term, the writing is on the wall. I will need to rethink my network topology, but I think I can hold off a bit longer ;)

Sent from my mobile
Any weird stuff in the message above is autocorrect's fault

> On Dec 15, 2014, at 8:06 AM, Joel Esler (jesler) <jesler at ...589...> wrote:
> 
> Afaik, you don't need to add anything to Snort anymore.  It's built into barnyard2
> 
> --
> Joel Esler 
> Sent from my iPhone
> 
> On Dec 15, 2014, at 8:02 AM, Ian <snort_list at ...16912...> wrote:
> 
>>> On 12/12/2014 16:28, Shirkdog wrote:
>>> Good ole' SnortSam. It was a great way to create custom actions and
>>> update your firewall config once a specific alert triggered.
>>> With DAQ and the ability to block in an IPS fashion, I am not sure if
>>> anyone is still using it.
>>> ---
>>> Michael Shirk
>> 
>> Hi,
>> 
>> We use snortsam extensively here.  Its useful to send out blocks to
>> other networks that have not yet seen attacks.
>> 
>> We run it as a daemon though, not compiled into snort.
>> 
>> Regards
>> 
>> Ian
>> -- 
>> 
>>> On Fri, Dec 12, 2014 at 10:53 AM, Sec_Aficionado
>>> <secaficionado at ...11827...> wrote:
>>>> Hello there,
>>>> I was looking through Barnyard2's barnyard2.conf file and noticed the section under
>>>> # alert fw_sam: allow blocking of IP's through remote services
>>>> However, I can't find a Snortsam version for snort later than 2.9.5.3
>>>> Does anyone here know if the project changed name or moved somewhere else for newer snort versions?
>>>> As usual, thanks in advance!
>>>> Sent from my mobile
>>>> Any weird stuff in the message above is autocorrect's fault
>>>> ------------------------------------------------------------------------------
>> 
>> 
>> ------------------------------------------------------------------------------
>> Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
>> from Actuate! Instantly Supercharge Your Business Reports and Dashboards
>> with Interactivity, Sharing, Native Excel Exports, App Integration & more
>> Get technology previously reserved for billion-dollar corporations, FREE
>> http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>> 
>> Please visit http://blog.snort.org to stay current on all the latest Snort news!
> ------------------------------------------------------------------------------
> Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
> from Actuate! Instantly Supercharge Your Business Reports and Dashboards
> with Interactivity, Sharing, Native Excel Exports, App Integration & more
> Get technology previously reserved for billion-dollar corporations, FREE
> http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> 
> Please visit http://blog.snort.org to stay current on all the latest Snort news!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20141215/b8ca5a80/attachment.html>


More information about the Snort-users mailing list