Re: snort inline

[waldo kitty <wkitty42 () windstream net>]

On 11/7/2012 23:04, amin Salehi wrote:
> hi.how can i config snort to act as IPS?

run it inline...

> what DAQ is better for linux backtrack 64bit?

the needed DAQ is system and configuration dependent... which you use depends on 
your needs and system's capabilities...

> whether linux must act as bridge?and how?

when inline, snort is the "bridge" between the two (or more) NICs... that's what 
inline means and how snort is able to drop traffic which rules indicate are to 
be dropped...

> whther change in iptables is requierd?and how?

this depends on how snort drops or allow the traffic when using it as an IPS...

personally, i prefer to let snort snort and alert... other tools can do the 
dirty work... this is akin to the removal of snort's database access... let 
snort do the snorting and other tools can write the data to the database... how 
these other tools effect the dropping of connections depends on the tool and the 
OS interface to the firewall/routing controls...

NOTE: the above is my understanding of how inline works... i'm sure i'll be 
corrected if it is incorrect... that's why i only post to the group/list and 
never attempt support in private ;)

------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_nov
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!