Re: IPS mode for snort

[Mike Miller <mike () millertwinracing com>]

Did you create a bridged virtual interface?

http://snortattack.org/node/303


On Thu, Jun 13, 2013 at 12:08 AM, Nomad Esst <noname.esst () yahoo com> wrote:

> Thanks. You know, I've just decided to use it in inline mode. I gave that
> a try with these configurations :
> Here is my custom snort.conf: (named snr.conf)
> config daq: ipfw
> config daq_mode: inline
> config policy_mode: inline
> output alert_full: stdout
> include snort.rule
> Here is a simple rule file: (name snort.rule)
> drop tcp any any -> any 23 (msg: "Drop telnet packets"; sid: 1000001)
> pass ip any any -> any any
> And here is what I do:
> snort -c /root/snr.conf -Q --alert-before-pass
> And I expect the ICMP packets to pass and telnet packets to drop. But both
> packet types pass! Am I missing something?
>
>   ------------------------------
>  *From:* Mike Miller <mike () millertwinracing com>
> *To:* Nomad Esst <noname.esst () yahoo com>*Sent:* Wednesday, June 12, 2013
> 7:30 PM
>
> Long story short, you gang two network interfaces into a pair, have one
> network drop (in from Firewall) going to one interface, and the other
> network drop (out to LAN), going to your router/switchfabric, running snort
> in inline mode, you have additional actions in your snort rules, where
> before you can Alert, log, etc...you can also Pass, Drop, reject, and sdrop
> the packets, which prevent them from going from one interface to the other.
>
> You can set snort up in inline mode, and so long as all the rules are set
> to alert, it'll act like snort that's just sniffing traffic. However, if
> the snort box goes offline, or you restart the snort processes, or snort
> hangs YOU WILL LOSE NETWORK CONNECTIVITY if you're not using a fail-open
> network card.
>
> Gig Nics are $9 in the bargain bin. Fail open Gig NICs are closer to
> $2000, so you can see why people who don't care for uptime might cut a
> corner or two. Last I checked, there was no such thing as a fail-open Fiber
> NIC, that may have changed. A quick google shows they exist, are $10k MSRP,
> and I'm not sure HOW they work....because, you know, they use LIGHT and all
> that. (It's an admitted gap in my knowledge)
>
> Gotchas:
> 1. Aforementioned fail-open behavior
> 2. Overly aggressive rulesets (if a Fase Positive is set to DROP or
> REJECT, you could cause a lot of oddball activity)
> 3. Another troubleshooting layer for Network Support. (Is the failure at
> the ISP, Firewall, Switchfabric...or Emerging Threats)
> 4. If the Bad Guy think's you're actively blacklisting based on IP, they
> can craft packets to make you go deaf. (Like making sure your Snort box is
> blocking access to the outside DNS server...because it received a UDP
> packet that was bad, that it thinks came from the DNS server.)
>
> That said, having a good, tuned, IDP is a GREAT way to cut down on your
> day to day work. If it punts 98% of the sql injection attacks to your
> webfarm, you can devote your time to other things.
>
>
>
>
>
>
> On Wed, Jun 12, 2013 at 1:44 AM, Nomad Esst <noname.esst () yahoo com> wrote:
>
> > > Hi list
>
> > > Sorry for these questions, I'm a new snort user.
> > > How can I enable IPS mode for snort? And is it possible to run snort in
> both IDS and IPS modes? How?
>
> > > Thanks in advance
>
> > I wouldn't recommend leaping into IPS mode as a new snort user without
> familiarizing yourself with the environment. It's a sharp sword that would
> be >easy to cut yourself on. Can you run IPS/IDS at the same time? Sure,
> but it may not be the optimal way to go.
>
> Thanks. Could you please tell me how can I have snort act as both IDS and
> IPS modes? What is the configuration?
------------------------------------------------------------------------------
This SF.net email is sponsored by Windows:

Build for Windows Store.

http://p.sf.net/sfu/windows-dev2dev

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!