Re: [Snort-users] Advice on Snort Inline

This is a discussion on Re: [Snort-users] Advice on Snort Inline within the Snort forums, part of the System Security and Security Related category; IIRC it goes something like this alias ipsbr0 bonding /etc/sysconfig/ifcfg-ipsbr0 DEVICE=ipsbr0 IPADDR=192.168.1.1 ...


Go Back   Usenet Forums > System Security and Security Related > Snort

Reload this Page Re: [Snort-users] Advice on Snort Inline

FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply

 

LinkBack Thread Tools Display Modes
  #1 (permalink)  
Old 09-08-2006
Jason Brvenik
 
Posts: n/a
Default Re: [Snort-users] Advice on Snort Inline
IIRC it goes something like this

alias ipsbr0 bonding

/etc/sysconfig/ifcfg-ipsbr0
DEVICE=ipsbr0
IPADDR=192.168.1.1
NETMASK=255.255.255.0
NETWORK=192.168.1.0
BROADCAST=192.168.1.255
ONBOOT=yes
BOOTPROTO=none
USERCTL=no

/etc/sysconfig/ifcfg-eth0
DEVICE=ips0
USERCTL=no
ONBOOT=yes
MASTER=ipsbr0
SLAVE=yes
BOOTPROTO=none

/etc/sysconfig/ifcfg-eth1
DEVICE=ips1
USERCTL=no
ONBOOT=yes
MASTER=ipsbr0
SLAVE=yes
BOOTPROTO=none


# /sbin/ifconfig ipsbr0 192.168.1.1 up
# /sbin/ifenslave ipsbr00 eth0
# /sbin/ifenslave ipsbr0 eth1



Eric Hines wrote:
> Joel,
>
> You forgot to mention the cool part of being able to rename the devices
> from eth1 and eth2 to ips0 and ips1 :)
>
> Mark: Edit the /etc/sysconfig/network-scripts/ifcfg-eth1 and ifcfg-eth2
> files, rename them to ifcfg-ips0 and ifcfg-ips1 and change the line in
> the files that says: DEVICE=eth1 and DEVICE=eth2 to DEVICE=ips0 and
> DEVICE=ips1 respectively
>
> Although, I've been struggling with how to rename a bond0 interface to
> mgt0 ... :/ :)
>
>
>
> Best Regards,
>
> Eric S. Hines, GCIA, CISSP
> CEO, President, Chairman
> Applied Watch Technologies, LLC
>
>
> --------------------------------------------------
>
> Eric S. Hines, GCIA, CISSP
> CEO, President, Chairman
> Applied Watch Technologies, LLC
>
> --------------------------------------------------
>
> Email: eric.hines@appliedwatch.com
> Address: 1095 Pingree Road
> Suite 221
> Crystal Lake, IL
> 60014
> Tel: (877) 262-7593 ext:327
> Local: (847) 854-5831
> Fax: (847) 854-5106
> Web: http://www.appliedwatch.com
>
> --------------------------------------------------
> Security Management for the Open Source Enterprise
>
>
>
>
>
> Joel Esler wrote:
>>> Mark,
>>>
>>> Thanks for emailing the list.
>>>
>>> 3 nics is the the way you want to go, one nic in, one nic out. There
>>> are some configuration guides to Snort inline out there (try the Snort
>>> manual, it's a good starting point), all you have to do is basically
>>> have iptables forward everything to "QUEUE" then Snort reads from that
>>> QUEUE.
>>>
>>> Fedora Core 5 will work just fine, just make sure you are running the
>>> bare minimum of services on it, as you want your Snort box to be as fast
>>> as possible for inline mode.
>>>
>>> Joel
>>>
>>>
>>> Mark Rohrbeck wrote:
>>>>> Hi all,
>>>>>
>>>>> I have 2 IDS systems in place and tuned to their specific networks, the next
>>>>> step I want to take is running them with Snort_inline. I am just a little
>>>>> unsure on how to do this. I would prefer to use Fedora Core 5 as the OS but
>>>>> open to suggestions. I mainly want to find out if I can run Snort_inline on
>>>>> one box?
>>>>>
>>>>> The networks are pretty small with 10 - 50 XP PC's and server 2003 / 2000,
>>>>> we run Sonicwall firewalls and I have the Sensors behind the firewall. The
>>>>> picture I have in my mind is having 3 nics in the machine, 1 for Admin and
>>>>> the other 2 for Snort inline. Am I heading in the right direction here?
>>>>>
>>>>> Any advice / help GREATLY appreciated.
>>>>>
>>>>> Marklar
>>>>>
>>>>>
>>>>> -------------------------------------------------------------------------
>>>>> Using Tomcat but need to do more? Need to support web services, security?
>>>>> Get stuff done quickly with pre-integrated technology to make your job easier
>>>>> Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
>>>>> http://sel.as-us.falkag.net/sel?cmd=...057&dat=121642
>>>>> _______________________________________________
>>>>> Snort-users mailing list
>>>>> Snort-users@lists.sourceforge.net
>>>>> Go to this URL to change user options or unsubscribe:
>>>>> https://lists.sourceforge.net/lists/...fo/snort-users
>>>>> Snort-users list archive:
>>>>> http://www.geocrawler.com/redir-sf.p...st=snort-users
>>>>>
>>> --
>>> +---------------------------------------------------------------------+
>>> Joel Esler Senior Security Consultant 1-706-627-2101
>>> Sourcefire Security for the /Real/ World -- http://www.sourcefire.com
>>> Snort - Open Source Network IPS/IDS -- http://www.snort.org
>>> GPG Key http://demo.sourcefire.com/jesler.pgp.key
>>> +---------------------------------------------------------------------+
>
> -------------------------------------------------------------------------
> Using Tomcat but need to do more? Need to support web services, security?
> Get stuff done quickly with pre-integrated technology to make your job
> easier
> Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
> http://sel.as-us.falkag.net/sel?cmd=...057&dat=121642
> _______________________________________________
> Snort-users mailing list
> Snort-users@lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/...fo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.p...st=snort-users

-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job
easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=...057&dat=121642


------------------------------------------------------------------------

_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/...fo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.p...st=snort-users

-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=...057&dat=121642
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/...fo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.p...st=snort-users
Reply With Quote
Reply

« Previous Thread | Next Thread »

Thread Tools
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
vB code is On
Smilies are Off
[IMG] code is Off
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On



All times are GMT +1. The time now is 10:58 PM.

Contact Us - Usenet Forums - Archive - Top

Powered by vBulletin® Version 3.6.8
Copyright ©2000 - 2008, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO 3.0.0