Snort mailing list archives
Re: Advice on Snort Inline
From: Jason Brvenik <jasonb () sourcefire com>
Date: Fri, 08 Sep 2006 10:28:09 -0400
IIRC it goes something like this alias ipsbr0 bonding /etc/sysconfig/ifcfg-ipsbr0 DEVICE=ipsbr0 IPADDR=192.168.1.1 NETMASK=255.255.255.0 NETWORK=192.168.1.0 BROADCAST=192.168.1.255 ONBOOT=yes BOOTPROTO=none USERCTL=no /etc/sysconfig/ifcfg-eth0 DEVICE=ips0 USERCTL=no ONBOOT=yes MASTER=ipsbr0 SLAVE=yes BOOTPROTO=none /etc/sysconfig/ifcfg-eth1 DEVICE=ips1 USERCTL=no ONBOOT=yes MASTER=ipsbr0 SLAVE=yes BOOTPROTO=none # /sbin/ifconfig ipsbr0 192.168.1.1 up # /sbin/ifenslave ipsbr00 eth0 # /sbin/ifenslave ipsbr0 eth1 Eric Hines wrote:
Joel, You forgot to mention the cool part of being able to rename the devices from eth1 and eth2 to ips0 and ips1 :) Mark: Edit the /etc/sysconfig/network-scripts/ifcfg-eth1 and ifcfg-eth2 files, rename them to ifcfg-ips0 and ifcfg-ips1 and change the line in the files that says: DEVICE=eth1 and DEVICE=eth2 to DEVICE=ips0 and DEVICE=ips1 respectively Although, I've been struggling with how to rename a bond0 interface to mgt0 ... :/ :) Best Regards, Eric S. Hines, GCIA, CISSP CEO, President, Chairman Applied Watch Technologies, LLC -------------------------------------------------- Eric S. Hines, GCIA, CISSP CEO, President, Chairman Applied Watch Technologies, LLC -------------------------------------------------- Email: eric.hines () appliedwatch com Address: 1095 Pingree Road Suite 221 Crystal Lake, IL 60014 Tel: (877) 262-7593 ext:327 Local: (847) 854-5831 Fax: (847) 854-5106 Web: http://www.appliedwatch.com -------------------------------------------------- Security Management for the Open Source Enterprise Joel Esler wrote:Mark, Thanks for emailing the list. 3 nics is the the way you want to go, one nic in, one nic out. There are some configuration guides to Snort inline out there (try the Snort manual, it's a good starting point), all you have to do is basically have iptables forward everything to "QUEUE" then Snort reads from that QUEUE. Fedora Core 5 will work just fine, just make sure you are running the bare minimum of services on it, as you want your Snort box to be as fast as possible for inline mode. Joel Mark Rohrbeck wrote:Hi all, I have 2 IDS systems in place and tuned to their specific networks, the next step I want to take is running them with Snort_inline. I am just a little unsure on how to do this. I would prefer to use Fedora Core 5 as the OS but open to suggestions. I mainly want to find out if I can run Snort_inline on one box? The networks are pretty small with 10 - 50 XP PC's and server 2003 / 2000, we run Sonicwall firewalls and I have the Sensors behind the firewall. The picture I have in my mind is having 3 nics in the machine, 1 for Admin and the other 2 for Snort inline. Am I heading in the right direction here? Any advice / help GREATLY appreciated. Marklar ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users-- +---------------------------------------------------------------------+ Joel Esler Senior Security Consultant 1-706-627-2101 Sourcefire Security for the /Real/ World -- http://www.sourcefire.com Snort - Open Source Network IPS/IDS -- http://www.snort.org GPG Key http://demo.sourcefire.com/jesler.pgp.key +---------------------------------------------------------------------+------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 ------------------------------------------------------------------------ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Libcap problem with Snort configuration Alejandro (Sep 07)
- Advice on Snort Inline Mark Rohrbeck (Sep 08)
- Re: Advice on Snort Inline Joel Esler (Sep 08)
- Re: Advice on Snort Inline Eric Hines (Sep 08)
- Re: Advice on Snort Inline Jason Brvenik (Sep 08)
- Re: Advice on Snort Inline Joel Esler (Sep 08)
- Advice on Snort Inline Mark Rohrbeck (Sep 08)