snort-users May 2011 archive
Main Archive Page > Month Archives  > snort-users archives
snort-users: Re: [Snort-users] snort-NIDS inline mode configurat

Re: [Snort-users] snort-NIDS inline mode configuration questions

From: Kevin Ross <kevross33_at_nospam>
Date: Fri May 20 2011 - 15:13:24 GMT
To: lay rando <khaosnetz@googlemail.com>, snort-users@lists.sourceforge.net

For a homenet I would recommend smoothwall as an easy choice with some
choice addons, namely:

- Guardian (active response, blocks ip addresses based on snort alerts for a
period of time)
http://community.smoothwall.org/forum/viewtopic.php?f=52&t=30245

- Snort 2.8.6.1
http://community.smoothwall.org/forum/viewtopic.php?f=26&t=36435

- Blackhole DNS (resolves DNS queries for tens of thousands of malware
domains, mainly from malwaredomains.com which it updates to loopback
127.0.0.1 so your clients don't connect to them)
http://community.smoothwall.org/forum/viewtopic.php?f=103&t=26030

And there are plenty others. This would mean (with some configuration,
putting on the emergingthreats.net rules etc you get a firewall, DNS
blackhole, snort with active response and so on.

If you are running it on your network key things are:
- It can see the traffic (inline this isn't a problem, IDS would mean
mirroring the port or being able to see the traffic such as on the gateway).
- internally you get less alerts that are more appropriate (i.e you will see
malware internal to your network and stuff that has made it into your
network. I would recommend running the emergingthreats snort rules too for
the malware detection they offer as well as other stuff.

On 20 May 2011 15:14, lay rando <khaosnetz@googlemail.com> wrote:

> I want to run snort on my homenet as NIDS probably in inline mode i
> compiled snort already with all daq features.
> my question is which networkcard i have to run in promiscuous mode and
> on which device and how should snort be started
> ive readed that snort should better run on the internal side due
> security reasons but im not really sure if thats in this case right.
>
> here is my net configuration:
> router -> ext eth1 -> fw masquerade ->
> int eth0 -> switch
> 10.10.11.10 10.10.11.20
> 10.10.1.1
>
> is there anything special iptables related i should know for my setup?
>
>
> ------------------------------------------------------------------------------
> What Every C/C++ and Fortran developer Should Know!
> Read this article and learn how Intel has extended the reach of its
> next-generation tools to help Windows* and Linux* C/C++ and Fortran
> developers boost performance applications - including clusters.
> http://p.sf.net/sfu/intel-dev2devmay
> _______________________________________________
> Snort-users mailing list
> Snort-users@lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>

------------------------------------------------------------------------------
What Every C/C++ and Fortran developer Should Know!
Read this article and learn how Intel has extended the reach of its
next-generation tools to help Windows* and Linux* C/C++ and Fortran
developers boost performance applications - including clusters.
http://p.sf.net/sfu/intel-dev2devmay

_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

   © Copyright 2012 Guardian Digital, Inc. All Rights Reserved.