Snort mailing list archives
Re: Snort IPS with one NIC
From: James Lay <jlay () slave-tothe-box net>
Date: Thu, 20 Oct 2016 08:23:19 -0600
On 2016-10-17 15:28, Dave Corsello wrote:
FYI - Neither the nfq nor the afpacket daq modules work with a single interface. I believe AWS allows you to created a virtual machine with multiple network interfaces. But it doesn't allow any components to be promiscuous, so this rules out Snort IPS on a network with multiple hosts. I rigged up a work-around on a single-interface remote machine in which a simple perl script monitors an alert.fast log and inserts BLOCK rules in iptables for IPs that trigger priority 1 and 2 Snort alerts. Blocking all priority-2-triggering IPs might be too coarse, but it's the best I can come up with for now. Any suggestions? On 10/12/2016 5:59 PM, Dave Corsello wrote:I am considering using a remotely hosted server as a web server, and would like to know if it is possible to protect it with Snort IPS. I've been using Snort inline for several years using the usual 3 interfaces--two bridged and one for management. Can Snort be run in IPS mode to protect the local server with only one network interface? Seems like this must have been asked many times before--sorry if this is a repeat.
Lemme lab this one up....I recall at some point in time using some fancy iptables rules in the mangle table plus snort I was able to get IPS on a single nic...might take me a bit to get to, but I will. James ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Snort IPS with one NIC Dave Corsello (Oct 12)
- Re: Snort IPS with one NIC Dave Corsello (Oct 17)
- Re: Snort IPS with one NIC James Lay (Oct 20)
- Re: Snort IPS with one NIC Dave Corsello (Oct 17)