Re: trouble with online mode

[Sec_Aficionado <secaficionado () gmail com>]

---- quoted message follows ----
Ah....yea that's the issue. With --daq-mode inline snort will create it's own bridge (that you have no control over). 
This type of deployment works really well as having snort on it's own machine inline such as: (Internet) <-> (SnortIPS) 
<-> (LinuxRouter) <-> (Switch) I think you and I were in the same boat where we had a linux router that we wanted to 
put IPS on. You can use the nfq daq functionality like so:

snort -Q -D --daq nfq --daq-var device=eth0 --daq-var queue=1 -c /usr/local/etc/snort/snort.conf /sbin/iptables -t nat 
-I PREROUTING -j NFQUEUE --queue-num 1 or /sbin/iptables -I INPUT -j NFQUEUE --queue-num 1 

But I'm going to be honest...I never got nfq to work well. There's a thread on the list that talks heavily about this, 
but in a nutshell as soon as a packet hits the snort queue, it is either dropped as an IPS hit, or accepted and sent 
along, which means any iptables rules AFTER the snort queue rule are not referenced, so be warned and make sure to nmap 
the external IP after you make the changes. It really seems like the IPS functionality is more suited for the IPS on 
it's own dedicated machine and not integrated into a router. My two cents :) James

---- end of quoted message ---- 

James,

I wonder if you ever got this setup to work. I found the following suggestions in a suricata configuration guide. They 
use FORWARD instead of INPUT. I have to do some reading before I test this but I'd like to know if you have any advice.

I would really like to get snort to work as an IPS in a firewall/router box, rather than in a separate machine.

Thanks!

The following is an excerpt from: 
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Setting_up_IPSinline_for_Linux

There is also a way to use iptables with multiple networks (and interface cards). Example:


sudo iptables -I FORWARD -i eth0 -o eth1 -j NFQUEUE sudo iptables -I FORWARD -i eth1 -o eth0 -j NFQUEUE
The options -i (input) -o (output) can be combined with all previous mentioned options

If you would stop Suricata and use internet, the traffic will not come through. To make internet work correctly, you 
have to erase all iptable rules.


Sent from my mobile
Any weird stuff is autocorrect's fault

------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!