Snort mailing list archives
Re: Advice on Snort Inline
From: Eric Hines <eric.hines () appliedwatch com>
Date: Fri, 08 Sep 2006 09:05:47 -0500
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Joel, You forgot to mention the cool part of being able to rename the devices from eth1 and eth2 to ips0 and ips1 :) Mark: Edit the /etc/sysconfig/network-scripts/ifcfg-eth1 and ifcfg-eth2 files, rename them to ifcfg-ips0 and ifcfg-ips1 and change the line in the files that says: DEVICE=eth1 and DEVICE=eth2 to DEVICE=ips0 and DEVICE=ips1 respectively Although, I've been struggling with how to rename a bond0 interface to mgt0 ... :/ :) Best Regards, Eric S. Hines, GCIA, CISSP CEO, President, Chairman Applied Watch Technologies, LLC - -------------------------------------------------- Eric S. Hines, GCIA, CISSP CEO, President, Chairman Applied Watch Technologies, LLC - -------------------------------------------------- Email: eric.hines () appliedwatch com Address: 1095 Pingree Road Suite 221 Crystal Lake, IL 60014 Tel: (877) 262-7593 ext:327 Local: (847) 854-5831 Fax: (847) 854-5106 Web: http://www.appliedwatch.com - -------------------------------------------------- Security Management for the Open Source Enterprise Joel Esler wrote:
Mark, Thanks for emailing the list. 3 nics is the the way you want to go, one nic in, one nic out. There are some configuration guides to Snort inline out there (try the Snort manual, it's a good starting point), all you have to do is basically have iptables forward everything to "QUEUE" then Snort reads from that QUEUE. Fedora Core 5 will work just fine, just make sure you are running the bare minimum of services on it, as you want your Snort box to be as fast as possible for inline mode. Joel Mark Rohrbeck wrote:Hi all, I have 2 IDS systems in place and tuned to their specific networks, the next step I want to take is running them with Snort_inline. I am just a little unsure on how to do this. I would prefer to use Fedora Core 5 as the OS but open to suggestions. I mainly want to find out if I can run Snort_inline on one box? The networks are pretty small with 10 - 50 XP PC's and server 2003 / 2000, we run Sonicwall firewalls and I have the Sensors behind the firewall. The picture I have in my mind is having 3 nics in the machine, 1 for Admin and the other 2 for Snort inline. Am I heading in the right direction here? Any advice / help GREATLY appreciated. Marklar ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users-- +---------------------------------------------------------------------+ Joel Esler Senior Security Consultant 1-706-627-2101 Sourcefire Security for the /Real/ World -- http://www.sourcefire.com Snort - Open Source Network IPS/IDS -- http://www.snort.org GPG Key http://demo.sourcefire.com/jesler.pgp.key +---------------------------------------------------------------------+
- ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFAXi71va6QYTV0EMRAsOcAJ46uoC1sAQRelViCZn4kU7frmaueQCfaAOu XxsMLEGX8UI+zeWjQn2g5Ww= =n3yt -----END PGP SIGNATURE-----
Attachment:
eric.hines.vcf
Description:
------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Libcap problem with Snort configuration Alejandro (Sep 07)
- Advice on Snort Inline Mark Rohrbeck (Sep 08)
- Re: Advice on Snort Inline Joel Esler (Sep 08)
- Re: Advice on Snort Inline Eric Hines (Sep 08)
- Re: Advice on Snort Inline Jason Brvenik (Sep 08)
- Re: Advice on Snort Inline Joel Esler (Sep 08)
- Advice on Snort Inline Mark Rohrbeck (Sep 08)