[Snort-users] Snort with AFPacket

waldo kitty wkitty42 at ...14940...
Tue Nov 4 12:31:28 EST 2014

On 11/4/2014 10:19 AM, James Lay wrote:
> You bet....my personal belief is that Snort as an inline IPS on a
> dedicated, separate devices with several NIC's works excellent, but not
> on devices that provide routing/firewall services.

there is actually something in the works on a possible way to handle this... it 
may turn out that having dedicated sniffer boxen is really the best way to go... 
the current implementation only looks at the WAN side of the device and none of 
the internal LANs' traffic... kinda makes it hard to locate an offending 
internal machine with looking for one communicating with an external CnC but 
just being aware of the traffic is a plus and allows one to then use other 
software to look internally and find the device... it ain't point'n'click by a 
long shot but there are times that being this close to the metal is really a 
good thing... especially when one learns how things really work instead of the 
process being hidden behind some pretty stuff with fluffiness all around it ;) :lol:

  NOTE: No off-list assistance is given without prior approval.
        Please *keep mailing list traffic on the list* unless
        private contact is specifically requested and granted.

More information about the Snort-users mailing list