Snort mailing list archives
Re: Advice on Snort Inline
From: Eric Hines <eric.hines () appliedwatch com>
Date: Fri, 08 Sep 2006 09:05:47 -0500
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Joel,
You forgot to mention the cool part of being able to rename the devices
from eth1 and eth2 to ips0 and ips1 :)
Mark: Edit the /etc/sysconfig/network-scripts/ifcfg-eth1 and ifcfg-eth2
files, rename them to ifcfg-ips0 and ifcfg-ips1 and change the line in
the files that says: DEVICE=eth1 and DEVICE=eth2 to DEVICE=ips0 and
DEVICE=ips1 respectively
Although, I've been struggling with how to rename a bond0 interface to
mgt0 ... :/ :)
Best Regards,
Eric S. Hines, GCIA, CISSP
CEO, President, Chairman
Applied Watch Technologies, LLC
- --------------------------------------------------
Eric S. Hines, GCIA, CISSP
CEO, President, Chairman
Applied Watch Technologies, LLC
- --------------------------------------------------
Email: eric.hines () appliedwatch com
Address: 1095 Pingree Road
Suite 221
Crystal Lake, IL
60014
Tel: (877) 262-7593 ext:327
Local: (847) 854-5831
Fax: (847) 854-5106
Web: http://www.appliedwatch.com
- --------------------------------------------------
Security Management for the Open Source Enterprise
Joel Esler wrote:
Mark, Thanks for emailing the list. 3 nics is the the way you want to go, one nic in, one nic out. There are some configuration guides to Snort inline out there (try the Snort manual, it's a good starting point), all you have to do is basically have iptables forward everything to "QUEUE" then Snort reads from that QUEUE. Fedora Core 5 will work just fine, just make sure you are running the bare minimum of services on it, as you want your Snort box to be as fast as possible for inline mode. Joel Mark Rohrbeck wrote:Hi all, I have 2 IDS systems in place and tuned to their specific networks, the next step I want to take is running them with Snort_inline. I am just a little unsure on how to do this. I would prefer to use Fedora Core 5 as the OS but open to suggestions. I mainly want to find out if I can run Snort_inline on one box? The networks are pretty small with 10 - 50 XP PC's and server 2003 / 2000, we run Sonicwall firewalls and I have the Sensors behind the firewall. The picture I have in my mind is having 3 nics in the machine, 1 for Admin and the other 2 for Snort inline. Am I heading in the right direction here? Any advice / help GREATLY appreciated. Marklar ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users-- +---------------------------------------------------------------------+ Joel Esler Senior Security Consultant 1-706-627-2101 Sourcefire Security for the /Real/ World -- http://www.sourcefire.com Snort - Open Source Network IPS/IDS -- http://www.snort.org GPG Key http://demo.sourcefire.com/jesler.pgp.key +---------------------------------------------------------------------+
- ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFAXi71va6QYTV0EMRAsOcAJ46uoC1sAQRelViCZn4kU7frmaueQCfaAOu XxsMLEGX8UI+zeWjQn2g5Ww= =n3yt -----END PGP SIGNATURE-----
Attachment:
eric.hines.vcf
Description:
------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Libcap problem with Snort configuration Alejandro (Sep 07)
- Advice on Snort Inline Mark Rohrbeck (Sep 08)
- Re: Advice on Snort Inline Joel Esler (Sep 08)
- Re: Advice on Snort Inline Eric Hines (Sep 08)
- Re: Advice on Snort Inline Jason Brvenik (Sep 08)
- Re: Advice on Snort Inline Joel Esler (Sep 08)
- Advice on Snort Inline Mark Rohrbeck (Sep 08)