Snort mailing list archives
RE: new user - snort is not droping pacekts
From: <lokesh.khanna () accelonafrica com>
Date: Tue, 15 Feb 2005 10:23:02 +0100
Hi Thanks for reply. I remember in real secure or manhunt, I used to configure a port in mirroring mode on switch and I put IDS on that port. All our traffic was going through that mirrored port. Based on rules defined in IDS, it was dropping / logging packets. If I understand correctly, do I need to pass all traffic through IDS box. IDS will act as a router also. And based on alerts, IDS will make modification in IPCHAIN and will drop or allow packets. Or is there any other way out? How can I find out documents on this? Cordially, LK -----Original Message----- From: Alex Butcher, ISC/ISYS [mailto:Alex.Butcher () bristol ac uk] Sent: 15 February 2005 10:06 To: Lokesh Khanna; snort-users () lists sourceforge net Subject: Re: [Snort-users] new user - snort is not droping pacekts --On 15 February 2005 08:52 +0100 lokesh.khanna () accelonafrica com wrote:
I have just installed Snort 2.3.0RC2 on Enterprise Redhat with ACID. I am using webmin to manage rules. I have used Manhunt and Real Secure before. I am using snort 1st time. I can see lots of Alert in ACID Console. But I do not understand how Snort will drop the packet if it is matching any rule. In Real Secure I used to define action for each rule. How can I do
same
here?
Either use snort in inline (IPS) mode, and replace 'alert' with 'drop', or look into using something like SnortSam or Flexresp to run scripts which add ACLs to your routers, or rules to your firewalls. If you don't use snort in inline mode, it's a NIDS and will not interfere directly with the sessions that it sees.
Is there any other tool to manage rules?
Snortcenter2, oinkmaster. I prefer the latter, these days. Writing an oinkmaster rule to programmatically modify dozens of rules is quicker and easier than clicking a few hundred times with a greater chance of human error.
LK
Best Regards, Alex. -- Alex Butcher: Security & Integrity, Personal Computer Systems Group Information Systems and Computing GPG Key ID: F9B27DC9 GPG Fingerprint: D62A DD83 A0B8 D174 49C4 2849 832D 6C72 F9B2 7DC9 ------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_ide95&alloc_id396&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- new user - snort is not droping pacekts lokesh.khanna (Feb 15)
- Re: new user - snort is not droping pacekts Alex Butcher, ISC/ISYS (Feb 15)
- <Possible follow-ups>
- RE: new user - snort is not droping pacekts lokesh.khanna (Feb 15)
- RE: new user - snort is not droping pacekts Alex Butcher, ISC/ISYS (Feb 15)
- RE: new user - snort is not droping pacekts lokesh.khanna (Feb 15)
- RE: new user - snort is not droping pacekts Alex Butcher, ISC/ISYS (Feb 15)
- RE: new user - snort is not droping pacekts lokesh.khanna (Feb 15)
- RE: new user - snort is not droping pacekts Chris Vaughan (Feb 15)
- RE: new user - snort is not droping pacekts Joshua Berry (Feb 15)
- RE: new user - snort is not droping pacekts lokesh.khanna (Feb 15)
- RE: new user - snort is not droping pacekts Chris Vaughan (Feb 15)
- RE: new user - snort is not droping pacekts lokesh.khanna (Feb 15)
- suppresing events from privat lan hans (Feb 16)
(Thread continues...)