Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: snort-NIDS inline mode configuration questions

From: Kevin Ross <kevross33 () googlemail com>
Date: Fri, 20 May 2011 16:13:24 +0100
For a homenet I would recommend smoothwall as an easy choice with some
choice addons, namely:

- Guardian (active response, blocks ip addresses based on snort alerts for a
period of time)
http://community.smoothwall.org/forum/viewtopic.php?f=52&t=30245

- Snort 2.8.6.1
http://community.smoothwall.org/forum/viewtopic.php?f=26&t=36435

- Blackhole DNS (resolves DNS queries for tens of thousands of malware
domains, mainly from malwaredomains.com which it updates to loopback
127.0.0.1 so your clients don't connect to them)
http://community.smoothwall.org/forum/viewtopic.php?f=103&t=26030

And there are plenty others. This would mean (with some configuration,
putting on the emergingthreats.net rules etc you get a firewall, DNS
blackhole, snort with active response and so on.

If you are running it on your network key things are:
- It can see the traffic (inline this isn't a problem, IDS would mean
mirroring the port or being able to see the traffic such as on the gateway).
- internally you get less alerts that are more appropriate (i.e you will see
malware internal to your network and stuff that has made it into your
network. I would recommend running the emergingthreats snort rules too for
the malware detection they offer as well as other stuff.


On 20 May 2011 15:14, lay rando <khaosnetz () googlemail com> wrote:


I want to run snort on my homenet as NIDS probably in inline mode i
compiled snort already with all daq features.
my question is which networkcard i have to run in promiscuous mode and
on which device and how should snort be started
ive readed that snort should better run on the internal side due
security reasons but im not really sure if thats in this case right.

here is my net configuration:
router                  ->      ext eth1        ->      fw masquerade   ->
     int eth0        -> switch
10.10.11.10                     10.10.11.20
            10.10.1.1

is there anything special iptables related i should know for my setup?


------------------------------------------------------------------------------
What Every C/C++ and Fortran developer Should Know!
Read this article and learn how Intel has extended the reach of its
next-generation tools to help Windows* and Linux* C/C++ and Fortran
developers boost performance applications - including clusters.
http://p.sf.net/sfu/intel-dev2devmay
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


------------------------------------------------------------------------------
What Every C/C++ and Fortran developer Should Know!
Read this article and learn how Intel has extended the reach of its 
next-generation tools to help Windows* and Linux* C/C++ and Fortran 
developers boost performance applications - including clusters. 
http://p.sf.net/sfu/intel-dev2devmay
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: