Snort mailing list archives
Re: snort-NIDS inline mode configuration questions
From: Kevin Ross <kevross33 () googlemail com>
Date: Fri, 20 May 2011 16:13:24 +0100
For a homenet I would recommend smoothwall as an easy choice with some choice addons, namely: - Guardian (active response, blocks ip addresses based on snort alerts for a period of time) http://community.smoothwall.org/forum/viewtopic.php?f=52&t=30245 - Snort 2.8.6.1 http://community.smoothwall.org/forum/viewtopic.php?f=26&t=36435 - Blackhole DNS (resolves DNS queries for tens of thousands of malware domains, mainly from malwaredomains.com which it updates to loopback 127.0.0.1 so your clients don't connect to them) http://community.smoothwall.org/forum/viewtopic.php?f=103&t=26030 And there are plenty others. This would mean (with some configuration, putting on the emergingthreats.net rules etc you get a firewall, DNS blackhole, snort with active response and so on. If you are running it on your network key things are: - It can see the traffic (inline this isn't a problem, IDS would mean mirroring the port or being able to see the traffic such as on the gateway). - internally you get less alerts that are more appropriate (i.e you will see malware internal to your network and stuff that has made it into your network. I would recommend running the emergingthreats snort rules too for the malware detection they offer as well as other stuff. On 20 May 2011 15:14, lay rando <khaosnetz () googlemail com> wrote:
I want to run snort on my homenet as NIDS probably in inline mode i compiled snort already with all daq features. my question is which networkcard i have to run in promiscuous mode and on which device and how should snort be started ive readed that snort should better run on the internal side due security reasons but im not really sure if thats in this case right. here is my net configuration: router -> ext eth1 -> fw masquerade -> int eth0 -> switch 10.10.11.10 10.10.11.20 10.10.1.1 is there anything special iptables related i should know for my setup? ------------------------------------------------------------------------------ What Every C/C++ and Fortran developer Should Know! Read this article and learn how Intel has extended the reach of its next-generation tools to help Windows* and Linux* C/C++ and Fortran developers boost performance applications - including clusters. http://p.sf.net/sfu/intel-dev2devmay _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------ What Every C/C++ and Fortran developer Should Know! Read this article and learn how Intel has extended the reach of its next-generation tools to help Windows* and Linux* C/C++ and Fortran developers boost performance applications - including clusters. http://p.sf.net/sfu/intel-dev2devmay
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- snort-NIDS inline mode configuration questions lay rando (May 20)
- Re: snort-NIDS inline mode configuration questions Kevin Ross (May 20)
- Re: snort-NIDS inline mode configuration questions lay rando (May 20)
- Re: snort-NIDS inline mode configuration questions Joel Esler (May 20)
- Re: snort-NIDS inline mode configuration questions Russ Combs (May 20)
- Re: snort-NIDS inline mode configuration questions Kevin Ross (May 20)