Re: snort-NIDS inline mode configuration questions

[Joel Esler <jesler () sourcefire com>]

Yes, IMO, you should run it on the internal side.  Let the Firewall keep the kruft out and the IPS examine what gets 
through..

On May 20, 2011, at 10:14 AM, lay rando wrote:

> I want to run snort on my homenet as NIDS probably in inline mode i
> compiled snort already with all daq features.
> my question is which networkcard i have to run in promiscuous mode and
> on which device and how should snort be started
> ive readed that snort should better run on the internal side due
> security reasons but im not really sure if thats in this case right.
>
> here is my net configuration:
> router                        ->      ext eth1        ->      fw masquerade   ->      int eth0        -> switch
> 10.10.11.10                   10.10.11.20                                             10.10.1.1
>
> is there anything special iptables related i should know for my setup?

iptables uses the QUEUE devel module to send things to DAQ/Snort, you'll need to install something like iptables-devel, 
and alter your rules in iptables to send things to the QUEUE (-j QUEUE) for DAQ to pick it up.

J
------------------------------------------------------------------------------
What Every C/C++ and Fortran developer Should Know!
Read this article and learn how Intel has extended the reach of its 
next-generation tools to help Windows* and Linux* C/C++ and Fortran 
developers boost performance applications - including clusters. 
http://p.sf.net/sfu/intel-dev2devmay
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users