Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Configuring snort as IPS

From: Kevin Ross <kevross33 () googlemail com>
Date: Wed, 25 Jan 2012 18:34:37 +0000
Cool I was just having a tease lol. I agree it is entirely reactive. Then
again we are all reactive response too - only reacting to what attackers
are doing after they are doing it :-)

Though good news about a new book; especially if it goes beyond being a
verbose snort manual and having lots of cool stuff you can do with snort -
perhaps even a few tools with it (like how the malware analysts cookbook
has a DVD of very useful tools).

Kev


On 25 January 2012 17:18, Joel Esler <jesler () sourcefire com> wrote:


Author,  and the book was outdated when it was published, and people are
still buying it and I still receive a check from it.  But if I could, I'd
pull the book from every shelf, because all it does is make my current job
as community manager harder.  It covered Snort version 2.6  and was written
during Snort 2.5, if that tells you the age of the book.  There were
several chapters (including several mistakes in my own chapter) that are
just plain wrong.  I edited several chapters of the book, and the changes
were so heavy that they deemed I essentially rewrote them, and they
couldn't publish them as I wrote them because then the original author
wouldn't get paid.

Yes, I still have my edits, no I won't tell you which chapters.  Yes
Sourcefire has been approached about publishing another book.

There is a distinct difference in between reactive and active.

The old Snort_inline was active.  Snort with an inline DAQ now is active.
 Snortsam is re-active.  Snort with flexresp2 or flexresp3 and the react
keyword is reactive.  Snortsam, flex, etc will not block the attack in
realtime.  Flex will /attempt/ to reset the connection, but I think we've
had enough discussion on this list to prove that that approach works
"sometimes".

Snortsam is completely after the fact.  Snort alerts, writes to unified2,
barynard2 reads the unified2 and processes the command to block, sends the
block over to the firewall.  Yes, it's quick, but the attack already went
by and who knows what else has now went on?  A backdoor, a reverse shell to
a third machine?

Snort in inline mode is active.  It can block in real time.  I see nothing
wrong with both approaches for additional security.  But if I had to pick
one, I'd pick the active mode.   Snortsam as an add on isn't a bad idea,
like you said, to block the hostile host.  But then again, they can just
change IPs.

J

On Jan 25, 2012, at 9:27 AM, Kevin Ross wrote:

But reactive response isn't good marketing terminology :-p Then again you
are actively responding to the attack and it is the response that may
highlight the post alert nature of it. You are still reacting to something
that has happened. Then again there are books like:
- Intrusion Prevention and Active Response: Deploying Host and Network IPS
- Also in the Snort IDS/IPS Toolkit you appear as a
contributer/author/technical editor (whatever it was) and it has: Chapter
12: Active Response and Intrusion Prevention. How come not Reactive
Response? ;-p lol

Besides I take the view ideally yes attack should be dropped inline but I
like to block the hostile host so they can't retry.

Kev



On 24 January 2012 16:16, Joel Esler <jesler () sourcefire com> wrote:


Okay, I'm going to be pedantic for a minute.

Snortsam isn't "active response" it's "reactive response".  It will take
action after "x" occurs, post alert.  IPS, by our definition is the ability
to drop a packet inline, meaning *at* alert time.

I also don't think you have to patch Snort anymore to get Snortsam.  I
think it's built into Barynard2 now.

On Tue, Jan 24, 2012 at 8:27 AM, Fabio Almeida <mentesan () gmail com>wrote:


Hi Sandip,

Active response with http://www.snortsam.net/

Great and flexible solution, works on many firewall systems and you can
use on various Snort Sensors, and firewall boxes.

Fabio Almeida
Em 24/01/2012, às 08:09, Sandip Bankewar escreveu:

Hi,****
** **
I don’t want my system to be act as gateway.****
** **
What is the best way to configure snort as IPS??****
** **
How can we configure?? Can anyone provide me steps??****
** **
** **
Regards,****
Sandip Bankewar****
** **

------------------------------------------------------------------------------
Keep Your Developer Skills Current with LearnDevNow!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!

http://p.sf.net/sfu/learndevnow-d2d_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest
Snort news!



-----BEGIN PGP SIGNATURE-----

iQEcBAEBAgAGBQJPHrHAAAoJEOvN6k4KDu4agFsH/1e/bytty+QBacvwYDdhawrA
6f+ua6lerdaZwLJ1Ll9NCSDO1WMACikfAn1jSB+3eGzNYvB4xUPYZk5p5HJHCN8K
ISm8sDk/wcfnN9FcBKX+Czqt7XMYL93KMZvSI8q+bwGTlliGaDkzwhcLMKd1SY+d
XySYt6XuWbk002Sx/ummcy4kGGr4v48FCsBo4fNlWBVACsmcp7vCx0QPcfw+MGp9
MMC/HW+CjXJrXeET/W5hzoRICSRSEfx7dEDLsrMcFiaWc56kMmoG7c2cRmlnNzTq
4/Pw0wNmoxGM48A/Rt1JI8M93gs6LjFCEkWO2+L7aaalFSftzqmUwYxTZy877aU=
=uJq6
-----END PGP SIGNATURE-----



------------------------------------------------------------------------------
Keep Your Developer Skills Current with LearnDevNow!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-d2d
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest
Snort news!





--
Joel Esler | http://blog.snort.org | http://vrt-blog.snort.org |
http://blog.clamav.net
Twitter:  http://twitter.com/snort




------------------------------------------------------------------------------
Keep Your Developer Skills Current with LearnDevNow!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-d2d
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest
Snort news!






------------------------------------------------------------------------------
Keep Your Developer Skills Current with LearnDevNow!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-d2d
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: