Snort mailing list archives
RE: Snort Inline
From: "Slighter, Tim" <tslighter () itc nrcs usda gov>
Date: Mon, 3 Mar 2003 07:17:33 -0700
by all means you could run 2 separate daemons where snort-inline would handle the drops and snort would handle the alerts to mySQL. That would simplify the process. As for the iptables, the greatest feature of the snort-inline product is that you can essentially pass any variable to the ip_queue module and use any customized rule for a matching drop. Not too familiar with Firestarter, but if it utilizes IPTABLES, then all that is required would essentially be something like this: (your current Firestarter IPTABLES rule) iptables -A INPUT -p TCP -s hacker.ip.address.com --destination-port 445 -j DROP would be changed to one of the following: iptables -A INPUT -p TCP -s hacker.ip.address.com --destination-port 445 -j QUEUE or.... iptables -A INPUT -p TCP -s hacker.ip.address.com --destination-port 445 -j LOG --log-level 6 --log-prefix "Active Directory Access Attempt" iptables -A INPUT -p TCP -s hacker.ip.address.com --destination-port 445 -j QUEUE All you really have to do is change the action following the "-j" from DROP or whatever it might be to QUEUE, and this instructs iptables to pass this information to ip_queue wherebt snort-inline will pick it up. the "LOG" feature can be used for additional logging to your syslog file, but usually the snort-inline alert file will present substantial data. -----Original Message----- From: Joe Giles [mailto:jgiles () joeman1 com] Sent: Friday, February 28, 2003 11:08 AM To: Slighter, Tim Cc: SnortUsers Subject: RE: [Snort-users] Snort Inline OK, great news. Would I be able to run snort and snort-inline together with the same rules (Different dir's, one for the ALERT and one for the DROP) so I can log and record to ACID? Would that be possible? I suppose I can just use LD with IPTABLES... Also, one last question... I currently have a iptables firewall set up using firestarter. Would I be able to inject the rules that I have for that into the firewall.rc that Snort-Inline uses? I have allot of custom port accepts and denies that I would like to keep, Thanks for the response Joe On Fri, 2003-02-28 at 10:15, Slighter, Tim wrote:
Yes, you can use the recently downloaded snort rules....just make sure to change all instances of "alert" to "drop". If a user attempts outbound to
a
site that is prohibited by the snort rule, the connection should be
dropped
and they should not receive any information at their system except a timeout. As for ACID and mySQL...snort-inline relies upon the alert file
in
order to work correctly. It might be possible to compile with mySQL and then configure the snort daemon in such a way that it logs to the alert
file
and to mySQL but you are in unchartered water at that point. Perhaps that could be a suggested project for the development team, where snort-inline can extract the data from mySQL instead of the alert file. -----Original Message----- From: Joe Giles [mailto:jgiles () joeman1 com] Sent: Friday, February 28, 2003 9:04 AM To: SnortUsers Subject: [Snort-users] Snort Inline List, I just downloaded the Snort-In-line app and I have a few questions.. I read the PDF file on how to set it up and configure it. Basically I have these questions: 1> In essence, this app will BLOCK traffic if it falls into one of the preset rule sets? So, for instance, I have a user that tries to access a pornographic web site and it violates a rule, it will BLOCK (DENY) the return traffic from the website thereby returning an error in his/her web browser? 2> Can I use the existing SNORT rules that I have in place (Downloaded last night) 3> Will it still report to my ACID database if I opt to use it instead of regular SNORT. 4> Can I still use regular SNORT if #3 is a no? Thanks, and I apologize if these questions have been answered before. Again, thanks for your time!!! Joe ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: Snort Inline, (continued)
- Re: Snort Inline Jihoon Chung (Jan 03)
- RE: Snort Inline Kevin Pietersma (Jan 02)
- RE: Snort Inline Bob McDowell (Jan 03)
- RE: Snort Inline Bob McDowell (Jan 03)
- Snort Inline Joe Giles (Feb 27)
- Snort Inline Joe Giles (Feb 28)
- RE: Snort Inline Slighter, Tim (Feb 28)
- RE: Snort Inline Joe Giles (Feb 28)
- Snort Inline Bridge webcatalog (Mar 01)
- Snort Inline Bridge webcatalog (Mar 03)
- RE: Snort Inline Joe Giles (Feb 28)
- RE: Snort Inline Slighter, Tim (Mar 03)