Re: snort deployment

[MAEDA <snomrpt () yahoo co jp>]

You should run snort as inline-mode (see manual version 2.3.x).
In inline-mode, snort takes packet informations from target QUEUE of iptables.
So, you make bridge between two NICs, and assign QUEUE to FORWARD-chain target.

# ifconfig  eth0  0.0.0.0  up
# ifconfig  eth1  0.0.0.0  up

# modprobe  bridge
# brctl  addbr br0
# brctl  addif br0 eth0
# brctl  addif br0 eth1

# modprobe  ip_queue
# iptables -A FORWARD -j QUEUE

# snort -QD


> Im building a linux box with to nics I want to put this box between my pix 
> and switch. So I can for the IDS on all that traffic coming in and out of 
> our lan. I wanted to know should I setup this up in a bridge mode because I 
> dont have a tap.
>
> Thanks adv.


__________________________________
Save the earth
http://pr.mail.yahoo.co.jp/ondanka/



-------------------------------------------------------
SF.Net email is Sponsored by the Better Software Conference & EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA
Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users