Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Snort IPS with one NIC

From: James Lay <jlay () slave-tothe-box net>
Date: Thu, 20 Oct 2016 08:23:19 -0600
On 2016-10-17 15:28, Dave Corsello wrote:

FYI - Neither the nfq nor the afpacket daq modules work with a single
interface.

I believe AWS allows you to created a virtual machine with multiple
network interfaces.  But it doesn't allow any components to be
promiscuous, so this rules out Snort IPS on a network with multiple 
hosts.

I rigged up a work-around on a single-interface remote machine in which
a simple perl script monitors an alert.fast log and inserts BLOCK rules
in iptables for IPs that trigger priority 1 and 2 Snort alerts.

Blocking all priority-2-triggering IPs might be too coarse, but it's 
the
best I can come up with for now.  Any suggestions?

On 10/12/2016 5:59 PM, Dave Corsello wrote:

I am considering using a remotely hosted server as a web server, and
would like to know if it is possible to protect it with Snort IPS.  
I've
been using Snort inline for several years using the usual 3
interfaces--two bridged and one for management.  Can Snort be run in 
IPS
mode to protect the local server with only one network interface?  
Seems
like this must have been asked many times before--sorry if this is a 
repeat.


Lemme lab this one up....I recall at some point in time using some fancy 
iptables rules in the mangle table plus snort I was able to get IPS on a 
single nic...might take me a bit to get to, but I will.

James

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: