Snort mailing list archives
Re: Handling firewall rejected packets in SNort IPS
From: waldo kitty <wkitty42 () windstream net>
Date: Fri, 17 May 2013 09:56:04 -0400
On 5/17/2013 02:54, VES Education wrote:
Hi, This is very basic qtn on Snort IPS. Over last few days,I couldn't find answer on net. Our intention is find packet flow in our application.
it would seem to be pretty basic, but i'm not so sure about that ;)
We would like to use Snort IPS( Currently we use Snort IDS). If we go for inline mode, whether all incoming packets would be placed in NF queue by firewall. Suppose a packet is getting rejected in firewall layer how Snort IPS will come to know it. As per current my understanding, if a packet is rejected in firewall, it will not go to SNort IPS. Hence IDS feature is missing in Snort IPS mode.
this depends on where, in your firewall routing rules, you inject the rule to send the traffic to snort... consider a firewall script that starts off as iptables -A Input jmptosnort iptables -A Input jmptogood OR iptables -I Input jmptosnort iptables -I Input jmptogood in both cases, the actual ordering is not going to be what you expect it to be... jmptosnort will be last in line and everything else will be acted on first... what you really want is to force/ensure that the jmptosnort rule is at the top of the chain so that it is entered first and then anything that passes snort will come back to traverse the rest of the rules... NOTE: yes, this is a very simplistic and incomplete example... there's a reason for that ;) O:)
That means we need to use both Snort IDS mode and inline mode. Is that possible to run two instances of snort in different modes in same machine.
you don't need to do this if you get your firewall rules in the proper order ;) -- NOTE: No off-list assistance is given without prior approval. Please keep mailing list traffic on the list unless private contact is specifically requested and granted. ------------------------------------------------------------------------------ AlienVault Unified Security Management (USM) platform delivers complete security visibility with the essential security capabilities. Easily and efficiently configure, manage, and operate all of your security controls from a single console and one unified framework. Download a free trial. http://p.sf.net/sfu/alienvault_d2d _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Handling firewall rejected packets in SNort IPS VES Education (May 17)
- Re: Handling firewall rejected packets in SNort IPS waldo kitty (May 17)
- Re: Handling firewall rejected packets in SNort IPS VES Education (May 19)
- Re: Handling firewall rejected packets in SNort IPS VES Education (May 19)
- Re: Handling firewall rejected packets in SNort IPS James Lay (May 19)
- Re: Handling firewall rejected packets in SNort IPS waldo kitty (May 19)
- Re: Handling firewall rejected packets in SNort IPS waldo kitty (May 19)
- Re: Handling firewall rejected packets in SNort IPS VES Education (May 19)
- Re: Handling firewall rejected packets in SNort IPS waldo kitty (May 17)