[Snort-users] Snort with AFPacket

James Lay jlay at ...13475...
Tue Nov 4 10:19:11 EST 2014


On 2014-11-04 08:14, Sec_Aficionado wrote:
> It looks like snort as IPS is not going to work well with my setup.
> Not without major reworking of stuff that is stable and has been
> working for years.
>
> The entire exercise, though, was a good learning experience for me. I
> understand better snort's architecture and how the different pieces
> fit together.
>
> Thank you both gents for your help!
>
> On Nov 4, 2014, at 7:28 AM, James Lay <jlay at ...13475... [3]>
> wrote:
>
>> On Mon, 2014-11-03 at 21:26 -0500, waldo kitty wrote:
>>
>>> On 11/3/2014 8:56 PM, James Lay wrote:
>>>> On Mon, 2014-11-03 at 20:44 -0500, Sec Aficionado wrote:
>>>>> Great, thank you for the explanation. NFQ was indeed my next
>>> step
>>>>> after trying AFPacket. AFPacket was easier to build, but I did
>>> not
>>>>> realize it might have serious side effects.
>>>>>
>>>>>
>>>>> From the high level description of NFQ, it still works with
>>> iptables,
>>>>> but in a more efficient manner?
>>>>>
>>>>
>>>> It's.....interesting. You have to be careful with where you
>>> place your
>>>> iptables QUEUE rule for Snort to use. Because any rules placed
>>> AFTER
>>>> the QUEUE rule are not looked at....as soon as the packet hits
>>> the QUEUE
>>>> rule snort will either drop it as an IPS hit, or will pass it up
>>> the
>>>> stack. So make sure you nmap the box once you put it in
>>> place...don't
>>>> want any open surprises ;)
>>>
>>> that's going to be fun to do... i'm extremely familiar with the
>>> setup that the
>>> OP is working with... the entire configuration is built by
>>> iptables and getting
>>> the queues in place is going to be early in the process /IF/ i'm
>>> looking at
>>> things properly... that also puts snort towards the end of all the
>>> flow instead
>>> of at the head of it unless i'm missing what you mean by "pass
>>> [the packet] up
>>> the stack"...
>>
>> Yep..it's a hoot <face-wink.png> And good call on the multiple
>> NIC's waldo.
>>
>> James
>

You bet....my personal belief is that Snort as an inline IPS on a 
dedicated, separate devices with several NIC's works excellent, but not 
on devices that provide routing/firewall services.

James




More information about the Snort-users mailing list