Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: don't interrupt traffic when snort inline crashes

From: Jaime Nebrera <jnebrera () gmail com>
Date: Mon, 16 Apr 2012 09:29:58 +0200
   Hi Guillaume


We decided to use snort inline as an IPS.

We will deploy snort inline on network and we have one question about what will happen when machine or snort will 
crash.

- If our machine crashes, we have a fail open card so traffic will be forward. (of course without IPS but we think 
it's better to not interrupt network traffic)
- My question is if snort crashes, the bridge between our interface will be broken but the system will be up so fail 
open card will not work as a bridge and we will lost every packets.

How could we resolve this issue to not interrupt traffic after snort crashes ?


   You need to control the state of the snort process either by an 
external process or by the stats produced by it with a watchdog

   In case you detect something is wrong, you can enable the bypass 
functionality of the card or divert the traffic to go directly through 
the bridge without entering snort.

------------------------------------------------------------------------------
For Developers, A Lot Can Happen In A Second.
Boundary is the first to Know...and Tell You.
Monitor Your Applications in Ultra-Fine Resolution. Try it FREE!
http://p.sf.net/sfu/Boundary-d2dvs2
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: