[Snort-users] active response and network tap

Steve Gantz stephen.gantz at ...16854...
Fri Jan 9 17:34:58 EST 2015

Probably not. Typically if you want active response/IPS functionality (drop packets, etc) you need an inline setup with two NICs and configuration routing all traffic to Snort using iptables. With a tap the traffic is already downstream by the time you get an alert. 


Professor of Information Assurance

The Graduate School

University of Maryland University College

stephen.gantz at ...16854...

> On Jan 9, 2015, at 4:37 PM, Anthony Sheetz <sheetzam at ...17060...> wrote:
> I'm getting started with snort, and am currently using it with a network tap from an intelligent switch in passive mode. Is it possible to use an active response rule in such a setup? I probably haven't included enough information to get an intelligent answer - happy to explain more of the setup if needed.
> Thanks in advance.
> Anthony Sheetz
> ------------------------------------------------------------------------------
> Dive into the World of Parallel Programming! The Go Parallel Website,
> sponsored by Intel and developed in partnership with Slashdot Media, is your
> hub for all things parallel software development, from weekly thought
> leadership blogs to news, videos, case studies, tutorials and more. Take a
> look and join the conversation now. http://goparallel.sourceforge.net
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> Please visit http://blog.snort.org to stay current on all the latest Snort news!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20150109/41cadf75/attachment.html>

More information about the Snort-users mailing list