Re: Advice on Snort Inline

[Jason Brvenik <jasonb () sourcefire com>]

IIRC it goes something like this

alias ipsbr0 bonding

/etc/sysconfig/ifcfg-ipsbr0
DEVICE=ipsbr0
IPADDR=192.168.1.1
NETMASK=255.255.255.0
NETWORK=192.168.1.0
BROADCAST=192.168.1.255
ONBOOT=yes
BOOTPROTO=none
USERCTL=no

/etc/sysconfig/ifcfg-eth0
DEVICE=ips0
USERCTL=no
ONBOOT=yes
MASTER=ipsbr0
SLAVE=yes
BOOTPROTO=none

/etc/sysconfig/ifcfg-eth1
DEVICE=ips1
USERCTL=no
ONBOOT=yes
MASTER=ipsbr0
SLAVE=yes
BOOTPROTO=none


# /sbin/ifconfig ipsbr0 192.168.1.1 up
# /sbin/ifenslave ipsbr00 eth0
# /sbin/ifenslave ipsbr0 eth1



Eric Hines wrote:
> Joel,
>
> You forgot to mention the cool part of being able to rename the devices
> from eth1 and eth2 to ips0 and ips1 :)
>
> Mark: Edit the /etc/sysconfig/network-scripts/ifcfg-eth1 and ifcfg-eth2
> files, rename them to ifcfg-ips0 and ifcfg-ips1 and change the line in
> the files that says: DEVICE=eth1 and DEVICE=eth2 to DEVICE=ips0 and
> DEVICE=ips1 respectively
>
> Although, I've been struggling with how to rename a bond0 interface to
> mgt0 ... :/ :)
>
>
>
> Best Regards,
>
> Eric S. Hines, GCIA, CISSP
> CEO, President, Chairman
> Applied Watch Technologies, LLC
>
>
> --------------------------------------------------
>
> Eric S. Hines, GCIA, CISSP
> CEO, President, Chairman
> Applied Watch Technologies, LLC
>
> --------------------------------------------------
>
> Email:   eric.hines () appliedwatch com
> Address: 1095 Pingree Road
>          Suite 221
>          Crystal Lake, IL
>          60014
> Tel:     (877) 262-7593 ext:327
> Local:   (847) 854-5831
> Fax:     (847) 854-5106
> Web:     http://www.appliedwatch.com
>
> --------------------------------------------------
> Security Management for the Open Source Enterprise
>
>
>
>
>
> Joel Esler wrote:
> > > Mark,
> > >
> > > Thanks for emailing the list.
> > >
> > > 3 nics is the the way you want to go, one nic in, one nic out.  There
> > > are some configuration guides to Snort inline out there (try the Snort
> > > manual, it's a good starting point), all you have to do is basically
> > > have iptables forward everything to "QUEUE" then Snort reads from that
> > > QUEUE.
> > >
> > > Fedora Core 5 will work just fine, just make sure you are running the
> > > bare minimum of services on it, as you want your Snort box to be as fast
> > > as possible for inline mode.
> > >
> > > Joel
> > >
> > >
> > > Mark Rohrbeck wrote:
> > > > > Hi all, 
> > > > >
> > > > > I have 2 IDS systems in place and tuned to their specific networks, the next
> > > > > step I want to take is running them with Snort_inline. I am just a little
> > > > > unsure on how to do this. I would prefer to use Fedora Core 5 as the OS but
> > > > > open to suggestions. I mainly want to find out if I can run Snort_inline on
> > > > > one box? 
> > > > >
> > > > > The networks are pretty small with 10 - 50 XP PC's and server 2003 / 2000,
> > > > > we run Sonicwall firewalls and I have the Sensors behind the firewall. The
> > > > > picture I have in my mind is having 3 nics in the machine, 1 for Admin and
> > > > > the other 2 for Snort inline. Am I heading in the right direction here?
> > > > >
> > > > > Any advice / help GREATLY appreciated.
> > > > >
> > > > > Marklar
> > > > >
> > > > >
> > > > > -------------------------------------------------------------------------
> > > > > Using Tomcat but need to do more? Need to support web services, security?
> > > > > Get stuff done quickly with pre-integrated technology to make your job easier
> > > > > Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
> > > > > http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
> > > > > _______________________________________________
> > > > > Snort-users mailing list
> > > > > Snort-users () lists sourceforge net
> > > > > Go to this URL to change user options or unsubscribe:
> > > > > https://lists.sourceforge.net/lists/listinfo/snort-users
> > > > > Snort-users list archive:
> > > > > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> > > --
> > > +---------------------------------------------------------------------+
> > > Joel Esler               Senior Security Consultant         1-706-627-2101
> > > Sourcefire    Security for the /Real/ World -- http://www.sourcefire.com
> > > Snort - Open Source Network IPS/IDS -- http://www.snort.org
> > > GPG Key http://demo.sourcefire.com/jesler.pgp.key
> > > +---------------------------------------------------------------------+
>
> -------------------------------------------------------------------------
> Using Tomcat but need to do more? Need to support web services, security?
> Get stuff done quickly with pre-integrated technology to make your job
> easier
> Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
> http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job
easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642


------------------------------------------------------------------------

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users