Snort mailing list archives
RE: new user - snort is not droping pacekts
From: <lokesh.khanna () accelonafrica com>
Date: Tue, 15 Feb 2005 10:47:17 +0100
Thanks again for reply. But it is confusing me more. As per my knowledge I can not set a rule using IPCHAIN which will drop a packets based on content in the packet. What I am able to understand is if I use IDS in INLINE mode, IDS will act as a router and based on alerts, IDS will insert rules in IPTABLE. I can have a genuine traffic from an IP address and virus traffic from same IP address. So content of that packet will define if packet should drop or it should not. How IPCHAIN will handle this? Cordially, LK -----Original Message----- From: Alex Butcher, ISC/ISYS [mailto:Alex.Butcher () bristol ac uk] Sent: 15 February 2005 10:34 To: Lokesh Khanna; snort-users () lists sourceforge net Subject: RE: [Snort-users] new user - snort is not droping pacekts --On 15 February 2005 10:23 +0100 lokesh.khanna () accelonafrica com wrote:
I remember in real secure or manhunt, I used to configure a port in mirroring mode on switch and I put IDS on that port. All our traffic
was
going through that mirrored port. Based on rules defined in IDS, it
was
dropping / logging packets.
Logging, yes, but those products would only have been dropping (i.e. blocking, rejecting) packets if they were interacting with a firewall or router in some way (or they were running in some kind of IPS mode, which you seem to indicate was not the case).
If I understand correctly, do I need to pass all traffic through IDS box.
If you're using inline mode, yes, the snort machine will be acting as a router (actually an Intrusion _Prevention_ System or IPS). See <http://snort-inline.sourceforge.net/> and README.INLINE for more info on inline mode. Note that 2.3.0 integrates the inline stuff IIRC.
IDS will act as a router also. And based on alerts, IDS will make modification in IPCHAIN and will drop or allow packets.
See the above site for the details.
Or is there any other way out? How can I find out documents on this?
<http://www.snortsam.net/> and README.FLEXRESP and README.FLEXRESP2 in the snort docs.
Cordially, LK
Best Regards, Alex. -- Alex Butcher: Security & Integrity, Personal Computer Systems Group Information Systems and Computing GPG Key ID: F9B27DC9 GPG Fingerprint: D62A DD83 A0B8 D174 49C4 2849 832D 6C72 F9B2 7DC9 ------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_ide95&alloc_id396&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- new user - snort is not droping pacekts lokesh.khanna (Feb 15)
- Re: new user - snort is not droping pacekts Alex Butcher, ISC/ISYS (Feb 15)
- <Possible follow-ups>
- RE: new user - snort is not droping pacekts lokesh.khanna (Feb 15)
- RE: new user - snort is not droping pacekts Alex Butcher, ISC/ISYS (Feb 15)
- RE: new user - snort is not droping pacekts lokesh.khanna (Feb 15)
- RE: new user - snort is not droping pacekts Alex Butcher, ISC/ISYS (Feb 15)
- RE: new user - snort is not droping pacekts lokesh.khanna (Feb 15)
- RE: new user - snort is not droping pacekts Chris Vaughan (Feb 15)
- RE: new user - snort is not droping pacekts Joshua Berry (Feb 15)
- RE: new user - snort is not droping pacekts lokesh.khanna (Feb 15)
- RE: new user - snort is not droping pacekts Chris Vaughan (Feb 15)
- RE: new user - snort is not droping pacekts lokesh.khanna (Feb 15)
- suppresing events from privat lan hans (Feb 16)
- Re: suppresing events from privat lan Matt Kettler (Feb 16)
- Re: suppresing events from private lan hans (Feb 16)
- suppresing events from privat lan hans (Feb 16)