Home page logo

snort logo Snort mailing list archives

Re: IPS mode for snort
From: Mike Miller <mike () millertwinracing com>
Date: Fri, 14 Jun 2013 07:53:58 -0600

Did you create a bridged virtual interface?


On Thu, Jun 13, 2013 at 12:08 AM, Nomad Esst <noname.esst () yahoo com> wrote:

Thanks. You know, I've just decided to use it in inline mode. I gave that
a try with these configurations :
Here is my custom snort.conf: (named snr.conf)
config daq: ipfw
config daq_mode: inline
config policy_mode: inline
output alert_full: stdout
include snort.rule
Here is a simple rule file: (name snort.rule)
drop tcp any any -> any 23 (msg: "Drop telnet packets"; sid: 1000001)
pass ip any any -> any any
And here is what I do:
snort -c /root/snr.conf -Q --alert-before-pass
And I expect the ICMP packets to pass and telnet packets to drop. But both
packet types pass! Am I missing something?

 *From:* Mike Miller <mike () millertwinracing com>
*To:* Nomad Esst <noname.esst () yahoo com>*Sent:* Wednesday, June 12, 2013
7:30 PM

Long story short, you gang two network interfaces into a pair, have one
network drop (in from Firewall) going to one interface, and the other
network drop (out to LAN), going to your router/switchfabric, running snort
in inline mode, you have additional actions in your snort rules, where
before you can Alert, log, etc...you can also Pass, Drop, reject, and sdrop
the packets, which prevent them from going from one interface to the other.

You can set snort up in inline mode, and so long as all the rules are set
to alert, it'll act like snort that's just sniffing traffic. However, if
the snort box goes offline, or you restart the snort processes, or snort
hangs YOU WILL LOSE NETWORK CONNECTIVITY if you're not using a fail-open
network card.

Gig Nics are $9 in the bargain bin. Fail open Gig NICs are closer to
$2000, so you can see why people who don't care for uptime might cut a
corner or two. Last I checked, there was no such thing as a fail-open Fiber
NIC, that may have changed. A quick google shows they exist, are $10k MSRP,
and I'm not sure HOW they work....because, you know, they use LIGHT and all
that. (It's an admitted gap in my knowledge)

1. Aforementioned fail-open behavior
2. Overly aggressive rulesets (if a Fase Positive is set to DROP or
REJECT, you could cause a lot of oddball activity)
3. Another troubleshooting layer for Network Support. (Is the failure at
the ISP, Firewall, Switchfabric...or Emerging Threats)
4. If the Bad Guy think's you're actively blacklisting based on IP, they
can craft packets to make you go deaf. (Like making sure your Snort box is
blocking access to the outside DNS server...because it received a UDP
packet that was bad, that it thinks came from the DNS server.)

That said, having a good, tuned, IDP is a GREAT way to cut down on your
day to day work. If it punts 98% of the sql injection attacks to your
webfarm, you can devote your time to other things.

On Wed, Jun 12, 2013 at 1:44 AM, Nomad Esst <noname.esst () yahoo com> wrote:

Hi list

Sorry for these questions, I'm a new snort user.
How can I enable IPS mode for snort? And is it possible to run snort in
both IDS and IPS modes? How?

Thanks in advance

I wouldn't recommend leaping into IPS mode as a new snort user without
familiarizing yourself with the environment. It's a sharp sword that would
be >easy to cut yourself on. Can you run IPS/IDS at the same time? Sure,
but it may not be the optimal way to go.

Thanks. Could you please tell me how can I have snort act as both IDS and
IPS modes? What is the configuration?

This SF.net email is sponsored by Windows:

Build for Windows Store.

Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

Please visit http://blog.snort.org to stay current on all the latest Snort news!

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]