Snort mailing list archives
Re: IPS options
From: Y M <snort () outlook com>
Date: Thu, 6 Mar 2014 06:26:02 +0000
As far as I know, signatures with "alert" keyword should still work as usual when running Snort inline. Only those signatures marked with "drop" will be dropped, the rest , i.e.: "alert" signatures, should only alert as normal, at least when using the afpacket DAQ. I wouldn't imagine the behavior is different for NFQ, but I never tested it. We have two sensors running inline (afpacket), and although they do not contain "alert" signatures at the moment, they worked as expected during testing in regards to running "alert" and "drop" signatures at the same time. YM.
To: snort-users () lists sourceforge net Date: Wed, 5 Mar 2014 16:46:45 -0700 From: jlay () slave-tothe-box net Subject: [Snort-users] IPS options Hey all, So....looking at changing a current Snort IDS to IPS...I've gotten some good feedback, but wanted to post here as well. The setup is a linux box with two nics already bridged. I'm need to just IPS a certain protocol/port combination, and still alert as usual on everything else. I looked at DAQ NFQ, but found that after getting that to work, other alerts stopped. So what are my options for this? I read through the daq doc and whatnot, but wanted opinions here as well. Thanks for any insight. James ------------------------------------------------------------------------------ Subversion Kills Productivity. Get off Subversion & Make the Move to Perforce. With Perforce, you get hassle-free workflows. Merge that actually works. Faster operations. Version large binaries. Built-in WAN optimization and the freedom to use Git, Perforce or both. Make the move to Perforce. http://pubads.g.doubleclick.net/gampad/clk?id=122218951&iu=/4140/ostg.clktrk _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Subversion Kills Productivity. Get off Subversion & Make the Move to Perforce. With Perforce, you get hassle-free workflows. Merge that actually works. Faster operations. Version large binaries. Built-in WAN optimization and the freedom to use Git, Perforce or both. Make the move to Perforce. http://pubads.g.doubleclick.net/gampad/clk?id=122218951&iu=/4140/ostg.clktrk
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- IPS options James Lay (Mar 05)
- Re: IPS options waldo kitty (Mar 05)
- Re: IPS options Y M (Mar 05)
- Re: IPS options James Lay (Mar 06)
- Re: IPS options Y M (Mar 06)
- Re: IPS options Russ Combs (rucombs) (Mar 06)
- Re: IPS options James Lay (Mar 06)
- Re: IPS options James Lay (Mar 06)