Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Question about Inline mode

From: NA <dustypath () comcast net>
Date: Sun, 04 Dec 2011 14:55:55 -0800
On 12/4/11 12:48 PM, Albert E. Whale wrote:

I have been asked to develop an IDS/IPS solution which can span
multiple zones behind a firewall.

While I have reservations in implementing a single box to become an
active sensor for IDS/IPS solutions on the networks.

 In addition to believing that this is the wrong strategy to use in
protecting internal networks (I am supposed to protect 4 internal
networks), I am not certain of the correct configuration of the host
server.

In an Inline mode, are the network interfaces linked?  What network
configuration is required for IDS/IPS or inline configuration?

Inline mode is done via a DAQ module. Inline is supported by at least
the NFQ and Afpacket DAQ modules. This is new to Snort as of the 2.9.x.x
versions. You actually need 3 interfaces as traffic goes across, for
example setting your sensor to detect across eth0:eth1 and the eth2 as
the management interface. 



Does the inline mode require two interfaces?

Can Snort support multiple networks, simultaneously?  Does this reduce
the throughput capability of the monitor?

Multiple networks can be supported but of course band width is the
consideration here along with the strength of the Snort sensor. There
are better people on this list to answer than me but depending on the
size/bandwidth considerations you may want to consider using 4 sensors
that report to a main server for analysis. Like I said, others on this
list can help there as I have no experience here. Search the Google
Groups list too.
Hope this serves at least as a start to answer your questions.
Bill

snip

------------------------------------------------------------------------------
All the data continuously generated in your IT infrastructure 
contains a definitive record of customers, application performance, 
security threats, fraudulent activity, and more. Splunk takes this 
data and makes sense of it. IT sense. And common sense.
http://p.sf.net/sfu/splunk-novd2d
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: