Snort mailing list archives
Re: Some Snort beginner questions
From: Sec_Aficionado <secaficionado () gmail com>
Date: Wed, 5 Nov 2014 12:13:33 -0500
I'm on the same boat as you. I experimented with AFPacket and a bit with NFQueue, but the first one does not work with that configuration at all and the latter requires significant tweaking. You can try Snortsam. It may do what you are looking for. It has an iptables plugin. You can read more at www.snortsam.net. I am not affiliated with the project in any way.
On Nov 5, 2014, at 11:55 AM, Jim Garrison <jhg () jhmg net> wrote:On 10/31/2014 5:40 PM, James Lay wrote:On Sat, 2014-11-01 at 00:26 +0000, Joel Esler (jesler) wrote: You can put all your deny statements in iptables before you put your queue statements. -- Joel Esler iPhoneOn Oct 31, 2014, at 17:40, Jim Garrison <jhg () jhmg net <mailto:jhg () jhmg net>> wrote: I have a Centos 6.5 web server configured with a very restrictive[snip]Also keep in mind that any iptables rules AFTER your snort QUEUE rule are NOT applied. As soon as a packet hits the snort QUEUE rule the packet is either a) flagged by snort and dropped, or b) passed up the stack as allowed.I guess I'm still too new to Snort to fully understand how to do this. I am running Snort and iptables on a single machine, filtering incoming traffic to that one machine, and eventually wanting to run Snort as an IPS for that single machine. The iptables configuration has been stable for years and I'd rather not change it too much. What I want to do is make Snort see and react to only the traffic not already blocked by iptables. I.e. Internet --> iptables --> snort --> httpd Is there a document describing how to do this? I've read elsewhere that Snort works best as an IPS when it runs on its own dedicated machine with two NICs, and filters incoming traffic for an internal network, and not so well for my situation. Is this true? -- Jim Garrison (jhg () acm org) PGP Keys at http://www.jhmg.net RSA 0x04B73B7F DH 0x70738D88 ------------------------------------------------------------------------------ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Some Snort beginner questions Jim Garrison (Oct 31)
- Re: Some Snort beginner questions Joel Esler (jesler) (Oct 31)
- Re: Some Snort beginner questions James Lay (Oct 31)
- Re: Some Snort beginner questions Jim Garrison (Nov 05)
- Re: Some Snort beginner questions Sec_Aficionado (Nov 05)
- Re: Some Snort beginner questions James Lay (Nov 05)
- Re: Some Snort beginner questions James Lay (Oct 31)
- Re: Some Snort beginner questions Joel Esler (jesler) (Oct 31)
- Re: Some Snort beginner questions waldo kitty (Nov 01)