Re: Question for the Guru's

[carlopmart <carlopmart () gmail com>]

On 11/14/2011 05:55 PM, John Liss wrote:
> Hey Gang,
>
> We have been a snort users for a long while now, and we have always used
> it as a IDS, in alert mode only, with a mirrored port.
> Our typical setup is like:
> http://www.snort.org/assets/158/013-snortinstallguide2912.pdf
> Internet ->  firewall - lan
> |
>                           snort eth 1
>
> Recently our team has started to research a more proactive approach to
> using snort where we can drop packets on offending rules.
>
> So the question to the group would be:
>
> Requirements:  Snort to be inline, bridged, and have the ability to drop
> bad traffic.
> Internet ->  snort eth1 ->  snort eth2 ->  firewall ->  lan
>
> What is the best way to approach dropping packets for offending rules.
>
> Just plain Snort?  (Does 2.9.1.2 support inline with the ability to drop?)
> Snort with Samsnort?
> Snort inline (though doesn't look like it is maintained much anymore)
>
> We are wanting to do inline mode with a subscription to rules but before
> we purchase the rules, we need a proof of concept first.
>
> We would like to use the latest snort-2.9.1.x branch if we can.
>
> Thanks in advance!
>
> -John

See daq docs about af-packet and nfq ...


-- 
CL Martinez
carlopmart {at} gmail {d0t} com

------------------------------------------------------------------------------
RSA(R) Conference 2012
Save $700 by Nov 18
Register now
http://p.sf.net/sfu/rsa-sfdev2dev1
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!