Re: Snort with AFPacket

[waldo kitty <wkitty42 () windstream net>]

On 11/4/2014 10:19 AM, James Lay wrote:
> You bet....my personal belief is that Snort as an inline IPS on a
> dedicated, separate devices with several NIC's works excellent, but not
> on devices that provide routing/firewall services.

there is actually something in the works on a possible way to handle this... it 
may turn out that having dedicated sniffer boxen is really the best way to go... 
the current implementation only looks at the WAN side of the device and none of 
the internal LANs' traffic... kinda makes it hard to locate an offending 
internal machine with looking for one communicating with an external CnC but 
just being aware of the traffic is a plus and allows one to then use other 
software to look internally and find the device... it ain't point'n'click by a 
long shot but there are times that being this close to the metal is really a 
good thing... especially when one learns how things really work instead of the 
process being hidden behind some pretty stuff with fluffiness all around it ;) :lol:

-- 
  NOTE: No off-list assistance is given without prior approval.
        Please *keep mailing list traffic on the list* unless
        private contact is specifically requested and granted.

------------------------------------------------------------------------------
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!