Re: Configuring snort as IPS

[Joel Esler <jesler () sourcefire com>]

It is our opinion that the Snort Reference Manual, and things that I have planned for the future will make a more 
effective documentation method than any static book would be.

We have no plans for a book at this time.

J

On Jan 25, 2012, at 1:34 PM, Kevin Ross wrote:

> Cool I was just having a tease lol. I agree it is entirely reactive. Then again we are all reactive response too - 
> only reacting to what attackers are doing after they are doing it :-)
>
> Though good news about a new book; especially if it goes beyond being a verbose snort manual and having lots of cool 
> stuff you can do with snort - perhaps even a few tools with it (like how the malware analysts cookbook has a DVD of 
> very useful tools).
>
> Kev
>
>
> On 25 January 2012 17:18, Joel Esler <jesler () sourcefire com> wrote:
> Author,  and the book was outdated when it was published, and people are still buying it and I still receive a check 
> from it.  But if I could, I'd pull the book from every shelf, because all it does is make my current job as community 
> manager harder.  It covered Snort version 2.6  and was written during Snort 2.5, if that tells you the age of the 
> book.  There were several chapters (including several mistakes in my own chapter) that are just plain wrong.  I 
> edited several chapters of the book, and the changes were so heavy that they deemed I essentially rewrote them, and 
> they couldn't publish them as I wrote them because then the original author wouldn't get paid.  
>
> Yes, I still have my edits, no I won't tell you which chapters.  Yes Sourcefire has been approached about publishing 
> another book. 
>
> There is a distinct difference in between reactive and active.
>
> The old Snort_inline was active.  Snort with an inline DAQ now is active.  Snortsam is re-active.  Snort with 
> flexresp2 or flexresp3 and the react keyword is reactive.  Snortsam, flex, etc will not block the attack in realtime. 
>  Flex will /attempt/ to reset the connection, but I think we've had enough discussion on this list to prove that that 
> approach works "sometimes".
>
> Snortsam is completely after the fact.  Snort alerts, writes to unified2, barynard2 reads the unified2 and processes 
> the command to block, sends the block over to the firewall.  Yes, it's quick, but the attack already went by and who 
> knows what else has now went on?  A backdoor, a reverse shell to a third machine?  
>
> Snort in inline mode is active.  It can block in real time.  I see nothing wrong with both approaches for additional 
> security.  But if I had to pick one, I'd pick the active mode.   Snortsam as an add on isn't a bad idea, like you 
> said, to block the hostile host.  But then again, they can just change IPs.
>
> J
>
> On Jan 25, 2012, at 9:27 AM, Kevin Ross wrote:
>
> > But reactive response isn't good marketing terminology :-p Then again you are actively responding to the attack and 
> > it is the response that may highlight the post alert nature of it. You are still reacting to something that has 
> > happened. Then again there are books like:
> > - Intrusion Prevention and Active Response: Deploying Host and Network IPS
> > - Also in the Snort IDS/IPS Toolkit you appear as a contributer/author/technical editor (whatever it was) and it 
> > has: Chapter 12: Active Response and Intrusion Prevention. How come not Reactive Response? ;-p lol
> >
> > Besides I take the view ideally yes attack should be dropped inline but I like to block the hostile host so they 
> > can't retry.
> >
> > Kev
> >
> >
> >
> > On 24 January 2012 16:16, Joel Esler <jesler () sourcefire com> wrote:
> > Okay, I'm going to be pedantic for a minute.
> >
> > Snortsam isn't "active response" it's "reactive response".  It will take action after "x" occurs, post alert.  IPS, 
> > by our definition is the ability to drop a packet inline, meaning at alert time.  
> >
> > I also don't think you have to patch Snort anymore to get Snortsam.  I think it's built into Barynard2 now.
> >
> > On Tue, Jan 24, 2012 at 8:27 AM, Fabio Almeida <mentesan () gmail com> wrote:
> > Hi Sandip,
> >
> > Active response with http://www.snortsam.net/
> >
> > Great and flexible solution, works on many firewall systems and you can use on various Snort Sensors, and firewall 
> > boxes.
> >
> > Fabio Almeida
> > Em 24/01/2012, às 08:09, Sandip Bankewar escreveu:
> >
> > > Hi,
> > >  
> > > I don’t want my system to be act as gateway.
> > >  
> > > What is the best way to configure snort as IPS??
> > >  
> > > How can we configure?? Can anyone provide me steps??
> > >  
> > >  
> > > Regards,
> > > Sandip Bankewar
> > >  
> > > ------------------------------------------------------------------------------
> > > Keep Your Developer Skills Current with LearnDevNow!
> > > The most comprehensive online learning library for Microsoft developers
> > > is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
> > > Metro Style Apps, more. Free future releases when you subscribe now!
> > > http://p.sf.net/sfu/learndevnow-d2d_______________________________________________
> > > Snort-users mailing list
> > > Snort-users () lists sourceforge net
> > > Go to this URL to change user options or unsubscribe:
> > > https://lists.sourceforge.net/lists/listinfo/snort-users
> > > Snort-users list archive:
> > > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> > >
> > > Please visit http://blog.snort.org to stay current on all the latest Snort news!
> >
> >
> > -----BEGIN PGP SIGNATURE-----
> >
> > iQEcBAEBAgAGBQJPHrHAAAoJEOvN6k4KDu4agFsH/1e/bytty+QBacvwYDdhawrA
> > 6f+ua6lerdaZwLJ1Ll9NCSDO1WMACikfAn1jSB+3eGzNYvB4xUPYZk5p5HJHCN8K
> > ISm8sDk/wcfnN9FcBKX+Czqt7XMYL93KMZvSI8q+bwGTlliGaDkzwhcLMKd1SY+d
> > XySYt6XuWbk002Sx/ummcy4kGGr4v48FCsBo4fNlWBVACsmcp7vCx0QPcfw+MGp9
> > MMC/HW+CjXJrXeET/W5hzoRICSRSEfx7dEDLsrMcFiaWc56kMmoG7c2cRmlnNzTq
> > 4/Pw0wNmoxGM48A/Rt1JI8M93gs6LjFCEkWO2+L7aaalFSftzqmUwYxTZy877aU=
> > =uJq6
> > -----END PGP SIGNATURE-----
> >
> >
> > ------------------------------------------------------------------------------
> > Keep Your Developer Skills Current with LearnDevNow!
> > The most comprehensive online learning library for Microsoft developers
> > is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
> > Metro Style Apps, more. Free future releases when you subscribe now!
> > http://p.sf.net/sfu/learndevnow-d2d
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users () lists sourceforge net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
> > Please visit http://blog.snort.org to stay current on all the latest Snort news!
> >
> >
> >
> > -- 
> > Joel Esler | http://blog.snort.org | http://vrt-blog.snort.org | 
> > http://blog.clamav.net
> > Twitter:  http://twitter.com/snort
> >
> >
> >
> > ------------------------------------------------------------------------------
> > Keep Your Developer Skills Current with LearnDevNow!
> > The most comprehensive online learning library for Microsoft developers
> > is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
> > Metro Style Apps, more. Free future releases when you subscribe now!
> > http://p.sf.net/sfu/learndevnow-d2d
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users () lists sourceforge net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
> > Please visit http://blog.snort.org to stay current on all the latest Snort news!

------------------------------------------------------------------------------
Keep Your Developer Skills Current with LearnDevNow!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-d2d

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!