[Snort-users] Snort with AFPacket
jlay at ...13475...
Tue Nov 4 10:19:11 EST 2014
On 2014-11-04 08:14, Sec_Aficionado wrote:
> It looks like snort as IPS is not going to work well with my setup.
> Not without major reworking of stuff that is stable and has been
> working for years.
> The entire exercise, though, was a good learning experience for me. I
> understand better snort's architecture and how the different pieces
> fit together.
> Thank you both gents for your help!
> On Nov 4, 2014, at 7:28 AM, James Lay <jlay at ...13475... >
>> On Mon, 2014-11-03 at 21:26 -0500, waldo kitty wrote:
>>> On 11/3/2014 8:56 PM, James Lay wrote:
>>>> On Mon, 2014-11-03 at 20:44 -0500, Sec Aficionado wrote:
>>>>> Great, thank you for the explanation. NFQ was indeed my next
>>>>> after trying AFPacket. AFPacket was easier to build, but I did
>>>>> realize it might have serious side effects.
>>>>> From the high level description of NFQ, it still works with
>>>>> but in a more efficient manner?
>>>> It's.....interesting. You have to be careful with where you
>>> place your
>>>> iptables QUEUE rule for Snort to use. Because any rules placed
>>>> the QUEUE rule are not looked at....as soon as the packet hits
>>> the QUEUE
>>>> rule snort will either drop it as an IPS hit, or will pass it up
>>>> stack. So make sure you nmap the box once you put it in
>>>> want any open surprises ;)
>>> that's going to be fun to do... i'm extremely familiar with the
>>> setup that the
>>> OP is working with... the entire configuration is built by
>>> iptables and getting
>>> the queues in place is going to be early in the process /IF/ i'm
>>> looking at
>>> things properly... that also puts snort towards the end of all the
>>> flow instead
>>> of at the head of it unless i'm missing what you mean by "pass
>>> [the packet] up
>>> the stack"...
>> Yep..it's a hoot <face-wink.png> And good call on the multiple
>> NIC's waldo.
You bet....my personal belief is that Snort as an inline IPS on a
dedicated, separate devices with several NIC's works excellent, but not
on devices that provide routing/firewall services.
More information about the Snort-users