Snort mailing list archives
Re: Question about Inline mode
From: "Albert E. Whale" <aewhale () ABS-CompTech com>
Date: Sun, 04 Dec 2011 21:36:07 -0500
Thanks, I completely left out the Management interface. I still have further questions, please see below. On 12/4/2011 5:55 PM, NA wrote:
On 12/4/11 12:48 PM, Albert E. Whale wrote:I have been asked to develop an IDS/IPS solution which can span multiple zones behind a firewall. While I have reservations in implementing a single box to become an active sensor for IDS/IPS solutions on the networks. In addition to believing that this is the wrong strategy to use in protecting internal networks (I am supposed to protect 4 internal networks), I am not certain of the correct configuration of the host server. In an Inline mode, are the network interfaces linked? What network configuration is required for IDS/IPS or inline configuration?Inline mode is done via a DAQ module. Inline is supported by at least the NFQ and Afpacket DAQ modules. This is new to Snort as of the 2.9.x.x versions. You actually need 3 interfaces as traffic goes across, for example setting your sensor to detect across eth0:eth1 and the eth2 as the management interface.
Thank you, I have found the following pages: http://www.snort.org/snort-downloads/external-daq/ http://vrt-blog.snort.org/2010/08/snort-29-essentials-daq.html Helpful as they were, I still have the following questions. When using either NFQ or the DAQ modules, are the interfaces bonded together? I completely understand that the Management interface is assigned an IP Address, a gateway and a network (subnet mask). What happens to the two interfaces used in inline mode? If I place the sensor inline, are the interfaces numbered? DO I need to fully provide networking (routing) between the interfaces?
Does the inline mode require two interfaces? Can Snort support multiple networks, simultaneously? Does this reduce the throughput capability of the monitor?Multiple networks can be supported but of course band width is the consideration here along with the strength of the Snort sensor. There are better people on this list to answer than me but depending on the size/bandwidth considerations you may want to consider using 4 sensors that report to a main server for analysis. Like I said, others on this list can help there as I have no experience here. Search the Google Groups list too.
Four sensors and a Main Server is an exceptional idea. Thank you for that.
From reading the above sites listed, it would seem that afpacket is the
method to use for inline use. Is there a consensus here?
Hope this serves at least as a start to answer your questions. Bill snip
-- Albert E. Whale, CHS CISA CISSP Senior Technology & Security Director *ABS Computer Technology, Inc. * 412-635-7488 ext 100 aewhale () ABS-CompTech com <mailto:aewhale () ABS-CompTech com> www.ABS-CompTech.com <http://www.ABS-CompTech.com>
Attachment:
aewhale.vcf
Description:
------------------------------------------------------------------------------ All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. http://p.sf.net/sfu/splunk-novd2d
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Question about Inline mode Albert E. Whale (Dec 04)
- Re: Question about Inline mode NA (Dec 04)
- Re: Question about Inline mode Albert E. Whale (Dec 04)
- Re: Question about Inline mode Michael Altizer (Dec 04)
- Re: Question about Inline mode John Liss (Dec 05)
- Re: Question about Inline mode Albert E. Whale (Dec 04)
- Re: Question about Inline mode NA (Dec 04)