Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: IDS

From: Jason Hellenthal <jhellenthal () dataix net>
Date: Mon, 10 Jul 2017 10:52:50 -0500
Normally thats just to set it up and maintain the software and rules to go along with it to start. IDS in self to 
snort(1) uses libpcap to build its interrogation techniques while still sending the traffic to its destination which 
seems to be quite confusing to some folks after they find the traffic still arriving at the dst host.

IPS mode… inline mode inspects the traffic live and drops or passes them on you’re determination of rules that should 
drop or alert. By default you get a lot of ALERT only rules and not sure why they are not dropping… because you have 
not set them to drop. SID mgmt becomes a big part of this operation.

So hopefully as you can see each side has a drawback of the way you manage the entire structure that you built but when 
done with all that in mind along with the reporting infrastructure you get a highly tuned IDS/IPS solution that fits 
almost any size network.

If you have not dealt with snort before in both of the above mentioned roles then you might want to lean on using the 
legacy mode that users libpcap depending on the projects requirements. Most often IDS legacy mode with blocking enabled 
is adequate enough for most small to 2/3 size medium businesses and will result in less time of maintainer-ship. 

Tho that is just my opinion and only a portion of what can actually be done with snort and other related IDS/IPS 
solutions. Maybe a more well rounded question of “this is what I am trying to achieve vs. this is what I don’t like 
right now with what I have; may be more helpful to answer."


Hope some of this helps.



On Jul 10, 2017, at 10:15, Justin Pederson via Snort-users <snort-users () lists snort org> wrote:

What is the best way to set snort up?  Either have it just look at the live packets as they come in or to form a pcap 
then to look into the pcap? 
_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!


_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: