Snort mailing list archives
Re: Snort with AFPacket
From: James Lay <jlay () slave-tothe-box net>
Date: Tue, 04 Nov 2014 08:19:11 -0700
On 2014-11-04 08:14, Sec_Aficionado wrote:
It looks like snort as IPS is not going to work well with my setup. Not without major reworking of stuff that is stable and has been working for years. The entire exercise, though, was a good learning experience for me. I understand better snort's architecture and how the different pieces fit together. Thank you both gents for your help! On Nov 4, 2014, at 7:28 AM, James Lay <jlay () slave-tothe-box net [3]> wrote:On Mon, 2014-11-03 at 21:26 -0500, waldo kitty wrote:On 11/3/2014 8:56 PM, James Lay wrote:On Mon, 2014-11-03 at 20:44 -0500, Sec Aficionado wrote:Great, thank you for the explanation. NFQ was indeed my nextstepafter trying AFPacket. AFPacket was easier to build, but I didnotrealize it might have serious side effects. From the high level description of NFQ, it still works withiptables,but in a more efficient manner?It's.....interesting. You have to be careful with where youplace youriptables QUEUE rule for Snort to use. Because any rules placedAFTERthe QUEUE rule are not looked at....as soon as the packet hitsthe QUEUErule snort will either drop it as an IPS hit, or will pass it upthestack. So make sure you nmap the box once you put it inplace...don'twant any open surprises ;)that's going to be fun to do... i'm extremely familiar with the setup that the OP is working with... the entire configuration is built by iptables and getting the queues in place is going to be early in the process /IF/ i'm looking at things properly... that also puts snort towards the end of all the flow instead of at the head of it unless i'm missing what you mean by "pass [the packet] up the stack"...Yep..it's a hoot <face-wink.png> And good call on the multiple NIC's waldo. James
You bet....my personal belief is that Snort as an inline IPS on a dedicated, separate devices with several NIC's works excellent, but not on devices that provide routing/firewall services. James ------------------------------------------------------------------------------ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Snort with AFPacket Sec Aficionado (Nov 03)
- Re: Snort with AFPacket James Lay (Nov 03)
- Re: Snort with AFPacket Sec_Aficionado (Nov 03)
- Re: Snort with AFPacket James Lay (Nov 03)
- Re: Snort with AFPacket Sec Aficionado (Nov 03)
- Re: Snort with AFPacket James Lay (Nov 03)
- Re: Snort with AFPacket waldo kitty (Nov 03)
- Re: Snort with AFPacket James Lay (Nov 04)
- Re: Snort with AFPacket Sec_Aficionado (Nov 04)
- Re: Snort with AFPacket James Lay (Nov 04)
- Re: Snort with AFPacket waldo kitty (Nov 04)
- Re: Snort with AFPacket Sec_Aficionado (Nov 03)
- Re: Snort with AFPacket James Lay (Nov 03)
- Re: Snort with AFPacket waldo kitty (Nov 03)