[Snort-users] Inline and stream 4
This is a discussion on [Snort-users] Inline and stream 4 within the Snort forums, part of the System Security and Security Related category; Hi I've got a question on a stream 4 configuration. This is our setup: All traffic from internet and ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
04-13-2006
|
|||
|
|||
[Snort-users] Inline and stream 4
Hi
I've got a question on a stream 4 configuration. This is our setup: All traffic from internet and dmz is routed to snort using iptables QUEUE statement. All traffic from our router itself and all traffic from the secure LAN is NOT routed to snort. We are using the upgradeable rule set with all rules set to drop to have an IPS system This worked fine, however sometimes connections were dropped without alerting. After some research I found out that it is the stream4 preprocessor who was doing this. Adding the midstream_drop_alerts parameter solves the problem however may expose us to snot & stick attacks. 2 questions about this: 1. I thought a snot & stick attack was designed to bury a hacking attempt between other useless attacks and therefore obscure the logging and possible recognition. But in an IPS system the attack itself is logged and also blocked. So I do not understand why this is may be a problem? 2. Apparently the problem of question 1 is not an issue if the inline_state parameter is set. However as we do not send all traffic through snort this will probably cause a lot of packages to be dropped? Even more general, is there a possible state problem when only traffic from internet/dmz is routed to snort? In other words would some rules match due to a state problem? Kind regards, Pieter -- --------------------------------------------------- aXs GUARD Training Center more info at http://www.axsguard.com/indextraining.htm aXs GUARD has completed security and anti-virus checks on this e-mail (http://www.axsguard.com) --------------------------------------------------- Able NV: ond.nr 0457.938.087 RPR Mechelen ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=...720&dat=121642 _______________________________________________ Snort-users mailing list Snort-users@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/...fo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.p...st=snort-users 
|
Linear Mode
