Re: [Snort-users] Advice on Snort Inline

This is a multi-part message in MIME format.
--------------030102060201050405030609
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Joel,

You forgot to mention the cool part of being able to rename the devices
from eth1 and eth2 to ips0 and ips1 :)

Mark: Edit the /etc/sysconfig/network-scripts/ifcfg-eth1 and ifcfg-eth2
files, rename them to ifcfg-ips0 and ifcfg-ips1 and change the line in
the files that says: DEVICE=eth1 and DEVICE=eth2 to DEVICE=ips0 and
DEVICE=ips1 respectively

Although, I've been struggling with how to rename a bond0 interface to
mgt0 ... :/ :)



Best Regards,

Eric S. Hines, GCIA, CISSP
CEO, President, Chairman
Applied Watch Technologies, LLC


- --------------------------------------------------

Eric S. Hines, GCIA, CISSP
CEO, President, Chairman
Applied Watch Technologies, LLC

- --------------------------------------------------

Email: eric.hines@appliedwatch.com
Address: 1095 Pingree Road
Suite 221
Crystal Lake, IL
60014
Tel: (877) 262-7593 ext:327
Local: (847) 854-5831
Fax: (847) 854-5106
Web: http://www.appliedwatch.com

- --------------------------------------------------
Security Management for the Open Source Enterprise





Joel Esler wrote:
> Mark,
>
> Thanks for emailing the list.
>
> 3 nics is the the way you want to go, one nic in, one nic out. There
> are some configuration guides to Snort inline out there (try the Snort
> manual, it's a good starting point), all you have to do is basically
> have iptables forward everything to "QUEUE" then Snort reads from that
> QUEUE.
>
> Fedora Core 5 will work just fine, just make sure you are running the
> bare minimum of services on it, as you want your Snort box to be as fast
> as possible for inline mode.
>
> Joel
>
>
> Mark Rohrbeck wrote:
>>> Hi all,
>>>
>>> I have 2 IDS systems in place and tuned to their specific networks, the next
>>> step I want to take is running them with Snort_inline. I am just a little
>>> unsure on how to do this. I would prefer to use Fedora Core 5 as the OS but
>>> open to suggestions. I mainly want to find out if I can run Snort_inline on
>>> one box?
>>>
>>> The networks are pretty small with 10 - 50 XP PC's and server 2003 / 2000,
>>> we run Sonicwall firewalls and I have the Sensors behind the firewall. The
>>> picture I have in my mind is having 3 nics in the machine, 1 for Admin and
>>> the other 2 for Snort inline. Am I heading in the right direction here?
>>>
>>> Any advice / help GREATLY appreciated.
>>>
>>> Marklar
>>>
>>>
>>> -------------------------------------------------------------------------
>>> Using Tomcat but need to do more? Need to support web services, security?
>>> Get stuff done quickly with pre-integrated technology to make your job easier
>>> Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
>>> http://sel.as-us.falkag.net/sel?cmd=...057&dat=121642
>>> _______________________________________________
>>> Snort-users mailing list
>>> Snort-users@lists.sourceforge.net
>>> Go to this URL to change user options or unsubscribe:
>>> https://lists.sourceforge.net/lists/...fo/snort-users
>>> Snort-users list archive:
>>> http://www.geocrawler.com/redir-sf.p...st=snort-users
>>>
>
> --
> +---------------------------------------------------------------------+
> Joel Esler Senior Security Consultant 1-706-627-2101
> Sourcefire Security for the /Real/ World -- http://www.sourcefire.com
> Snort - Open Source Network IPS/IDS -- http://www.snort.org
> GPG Key http://demo.sourcefire.com/jesler.pgp.key
> +---------------------------------------------------------------------+

- -------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job
easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=...057&dat=121642
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/...fo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.p...st=snort-users
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFFAXi71va6QYTV0EMRAsOcAJ46uoC1sAQRelViCZn4kU 7frmaueQCfaAOu
XxsMLEGX8UI+zeWjQn2g5Ww=
=n3yt
-----END PGP SIGNATURE-----

--------------030102060201050405030609
Content-Type: text/x-vcard; charset=utf-8;
name="eric.hines.vcf"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
filename="eric.hines.vcf"

begin:vcard
fn:Eric Hines
n:Hines;Eric
org:Applied Watch Technologies, LLC;Administration
adr:Suite 213;;1095 Pingree Road;Crystal Lake;IL;60014;USA
email;internet:eric.hines@appliedwatch.com
title:CEO, President, Chairman
tel;work:(877) 262-7593 ext:327
tel;fax:(847) 854-5106
tel;cell:(847) 456-6785
x-mozilla-html:FALSE
url:http://www.appliedwatch.com
version:2.1
end:vcard


--------------030102060201050405030609
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=...057&dat=121642
--------------030102060201050405030609
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/...fo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.p...st=snort-users
--------------030102060201050405030609--