Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: new user - snort is not droping pacekts

From: <lokesh.khanna () accelonafrica com>
Date: Tue, 15 Feb 2005 10:23:02 +0100
Hi

Thanks for reply.

I remember in real secure or manhunt, I used to configure a port in
mirroring mode on switch and I put IDS on that port. All our traffic was
going through that mirrored port. Based on rules defined in IDS, it was
dropping / logging packets. 

If I understand correctly, do I need to pass all traffic through IDS
box. IDS will act as a router also. And based on alerts, IDS will make
modification in IPCHAIN and will drop or allow packets.
Or is there any other way out? How can I find out documents on this?

Cordially,

LK

-----Original Message-----
From: Alex Butcher, ISC/ISYS [mailto:Alex.Butcher () bristol ac uk] 
Sent: 15 February 2005 10:06
To: Lokesh Khanna; snort-users () lists sourceforge net
Subject: Re: [Snort-users] new user - snort is not droping pacekts



--On 15 February 2005 08:52 +0100 lokesh.khanna () accelonafrica com wrote:


I have just installed Snort 2.3.0RC2 on Enterprise Redhat with ACID.

I am using webmin to manage rules. I have used Manhunt and Real Secure
before. I am using snort 1st time.

I can see lots of Alert in ACID Console. But I do not understand how
Snort will drop the packet if it is matching any rule.

In Real Secure I used to define action for each rule. How can I do

same

here?


Either use snort in inline (IPS) mode, and replace 'alert' with 'drop',
or 
look into using something like SnortSam or Flexresp to run scripts which

add ACLs to your routers, or rules to your firewalls.

If you don't use snort in inline mode, it's a NIDS and will not
interfere 
directly with the sessions that it sees.


Is there any other tool to manage rules?


Snortcenter2, oinkmaster.

I prefer the latter, these days. Writing an oinkmaster rule to 
programmatically modify dozens of rules is quicker and easier than
clicking 
a few hundred times with a greater chance of human error.


LK


Best Regards,
Alex.
-- 
Alex Butcher: Security & Integrity, Personal Computer Systems Group
Information Systems and Computing             GPG Key ID: F9B27DC9
GPG Fingerprint: D62A DD83 A0B8 D174 49C4 2849 832D 6C72 F9B2 7DC9





-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_ide95&alloc_id396&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: