Re: IPS mode for snort

[Nomad Esst <noname.esst () yahoo com>]

Thanks. You know, I've just decided to use it in inline mode. I gave that a try with these configurations :
Here is my custom snort.conf: (named snr.conf)
config daq: ipfw config daq_mode: inline config policy_mode: inline output alert_full: stdout include snort.rule

Here is a simple rule file: (named sort.rule)
drop tcp any any -> any 23 (msg: "Drop telnet packets"; sid: 1000001) pass ip any any -> any any

And here is what I do:
snort -c /root/snr.conf -Q --alert-before-pass
And I expect the ICMP packets to pass and telnet packets to drop. But both packet types pass! Am I missing something?


________________________________
 From: Mike Miller <mike () millertwinracing com>
To: Nomad Esst <noname.esst () yahoo com> 
Sent: Wednesday, June 12, 2013 7:30 PM
 


Long story short, you gang two network interfaces into a pair, have one network drop (in from Firewall) going to one 
interface, and the other network drop (out to LAN), going to your router/switchfabric, running snort in inline mode, 
you have additional actions in your snort rules, where before you can Alert, log, etc...you can also Pass, Drop, 
reject, and sdrop the packets, which prevent them from going from one interface to the other. 

You can set snort up in inline mode, and so long as all the rules are set to alert, it'll act like snort that's just 
sniffing traffic. However, if the snort box goes offline, or you restart the snort processes, or snort hangs YOU WILL 
LOSE NETWORK CONNECTIVITY if you're not using a fail-open network card. 

Gig Nics are $9 in the bargain bin. Fail open Gig NICs are closer to $2000, so you can see why people who don't care 
for uptime might cut a corner or two. Last I checked, there was no such thing as a fail-open Fiber NIC, that may have 
changed. A quick google shows they exist, are $10k MSRP, and I'm not sure HOW they work....because, you know, they use 
LIGHT and all that. (It's an admitted gap in my knowledge)

Gotchas:
1. Aforementioned fail-open behavior
2. Overly aggressive rulesets (if a Fase Positive is set to DROP or REJECT, you could cause a lot of oddball activity)
3. Another troubleshooting layer for Network Support. (Is the failure at the ISP, Firewall, Switchfabric...or Emerging 
Threats)
4. If the Bad Guy think's you're actively blacklisting based on IP, they can craft packets to make you go deaf. (Like 
making sure your Snort box is blocking access to the outside DNS server...because it received a UDP packet that was 
bad, that it thinks came from the DNS server.)

That said, having a good, tuned, IDP is a GREAT way to cut down on your day to day work. If it punts 98% of the sql 
injection attacks to your webfarm, you can devote your time to other things. 







On Wed, Jun 12, 2013 at 1:44 AM, Nomad Esst <noname.esst () yahoo com> wrote:

> > Hi list
>
>
>
> > > Sorry for these questions, I'm a new snort user.
> > > How can I enable IPS mode for snort? And is it possible to run snort in both IDS and IPS modes? How? 
>
>
> > > Thanks in advance
>
>
> > I wouldn't recommend leaping into IPS mode as a new snort user without familiarizing yourself with the environment. 
> > It's a sharp sword that would be >easy to cut yourself on. Can you run IPS/IDS at the same time? Sure, but it may not 
> > be the optimal way to go. 
>
>
> Thanks. Could you please tell me how can I have snort act as both IDS and IPS modes? What is the configuration?
------------------------------------------------------------------------------
This SF.net email is sponsored by Windows:

Build for Windows Store.

http://p.sf.net/sfu/windows-dev2dev

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!