Snort mailing list archives
Re: AW: Snort& Intrusion Prevention
From: Ravi Kumar <ravivsn () rocsys com>
Date: Fri, 04 Jun 2004 10:49:20 +0530
Snort does not work as Inline IDS. And Flexresp is not inline technology. Flexresp just sends TCP resets for TCP connections and ICMP Destination
unreachable for UDP packets to block.Since snort takes packets in promiscous mode, it cant act as Inline Therefore we have snort_inline , an Inline NIDS based on snort. It takes packets using libipq. Libipq is a library which transfers packets to Userspace using ip_queue module. Since this involves netfilter , you can send verdict to drop or accept or stolen etc., Thus every packet must
pass thro snort_inline engine. Cheers, -Ravi ROCSYS Technologies Ltd http://www.rocsys.com Maetzky, Steffen (Extern) wrote:>>However, neither flexresp nor flexresp2 are inline type technologies, and
>> >> >they operate > > >>VERY differently than inline-snort. >> >> > >I agree with you that they work differently>but I'm not sure that flexresp/ flexresp 2 isn't a kind of inline-ids:
> > >>>"in-line" means just that.. the snort box is in-line with your data flow,
>> >> >much like a > >>>firewall box. It's got two ethernet interfaces, and data must go through
>> >> >the snort box, and can't go around it. > > > >> Internet -------- inline-snort ------ your network >> >> >>How does flexresp/flexresp2 communicate if it isn't a kind of inline-ids?
> > iface (promisc) ------- snort ------- os? >(reset on receiver-side)> iface (promisc) ------- snort ------- os ------- iface (non promisc)?
>(reset on source-side) > > > >------------------------------------------------------- >This SF.Net email is sponsored by the new InstallShield X.>>From Windows to Linux, servers to mobile, InstallShield X is the one >installation-authoring solution that does it all. Learn more and
>evaluate today! http://www.installshield.com/Dev2Dev/0504 >_______________________________________________ >Snort-users mailing list >Snort-users () lists sourceforge net >Go to this URL to change user options or unsubscribe: >https://lists.sourceforge.net/lists/listinfo/snort-users >Snort-users list archive: >http://www.geocrawler.com/redir-sf.php3?list=snort-users > > > ------------------------------------------------------- This SF.Net email is sponsored by the new InstallShield X.
From Windows to Linux, servers to mobile, InstallShield X is the one
installation-authoring solution that does it all. Learn more and evaluate today! http://www.installshield.com/Dev2Dev/0504 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- AW: Snort& Intrusion Prevention Maetzky, Steffen (Extern) (Jun 03)
- Message not available
- Re: AW: Snort& Intrusion Prevention Matt Kettler (Jun 03)
- RE: AW: Snort& Intrusion Prevention Eric Hines (Jun 03)
- Re: AW: Snort& Intrusion Prevention Matt Kettler (Jun 03)
- Message not available
- Re: AW: Snort& Intrusion Prevention Ravi Kumar (Jun 03)