Where to deploy snort in inline mode??
This is a discussion on Where to deploy snort in inline mode?? within the Snort forums, part of the System Security and Security Related category; I want to only use snort in inline mode that detects portscans by nmap. I have a firewall that drops ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
05-25-2007
|
|||
|
|||
Where to deploy snort in inline mode??
I want to only use snort in inline mode that detects portscans by
nmap. I have a firewall that drops all packets that dont match its rules.Where do I place snort? Please help me out. If I place snort after the firewall ( I mean that there would be a rule in INPUT chain in iptables to QUEUE packets to userspace) , then most of the packets will already be dropped, so snort wont get enough packets to detect that a portscan is taking place. If I place snort in PREROUTING chain ( the first chain to hit for inbound packets) , till snort detects an attack , it would pass NF_ACCEPT verdict for all packets in userspace (See inline.c file) and so no packets would pass to the firewall now.They would just be accepted and not return to kernel space to match other firewall rules.I cannot pass IPT_CONTINUE target in userspace : http://lists.netfilter.org/pipermail...ay/019722.html What do I do? Please Please help me out 
|
Linear Mode
