Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: active response and network tap

From: Steve Gantz <stephen.gantz () faculty umuc edu>
Date: Fri, 9 Jan 2015 17:34:58 -0500
Probably not. Typically if you want active response/IPS functionality (drop packets, etc) you need an inline setup with 
two NICs and configuration routing all traffic to Snort using iptables. With a tap the traffic is already downstream by 
the time you get an alert. 

Dr. Stephen D. Gantz, CISSP-ISSAP, CEH, CGEIT, CRISC, CIPP/G, C|CISO

Professor of Information Assurance

The Graduate School

University of Maryland University College

stephen.gantz () faculty umuc edu




On Jan 9, 2015, at 4:37 PM, Anthony Sheetz <sheetzam () inspire com> wrote:

I'm getting started with snort, and am currently using it with a network tap from an intelligent switch in passive 
mode. Is it possible to use an active response rule in such a setup? I probably haven't included enough information 
to get an intelligent answer - happy to explain more of the setup if needed.

Thanks in advance.
Anthony Sheetz
------------------------------------------------------------------------------
Dive into the World of Parallel Programming! The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

------------------------------------------------------------------------------
Dive into the World of Parallel Programming! The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: