Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: IDS vs IPS

From: Matt Kettler <mkettler () EVI-INC COM>
Date: Thu, 21 Aug 2003 10:19:02 -0400
At 12:10 PM 8/20/2003 -0400, Vkmobile () aol com wrote:

So is Snort an IDS or an IPS (Intrusion Prevention) or both?
Also, how can an IDS be converted to an IPS? Can someone point me in the right direction such as an FAQ or some website where i can read and learn?
Snort itself is an IDS, and specifically a NIDS (network IDS) as opposed to a HIDS (host IDS). There are tools like inline-snort and snortsam which make it into an IPS by allowing it to interact with a firewall to block packets.
Snortsam is quite powerful, but it acts slightly after the offending packet, so it won't block the packet that caused the alert. It's capable of reconfiguring a wide variety of firewalls, including hardware boxes like the cisco PIX.
inline-snort I don't know much about, but I think it interacts with the linux kernel's IPTables/netfilter layer directly. As such, it can only work on linux, but might be able to block packets in true realtime. (at the expense of some network slowdown if your rules are complex). 





-------------------------------------------------------
This SF.net email is sponsored by: VM Ware
With VMware you can run multiple operating systems on a single machine.
WITHOUT REBOOTING! Mix Linux / Windows / Novell virtual machines
at the same time. Free trial click here:http://www.vmware.com/wl/offer/358/0
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: