Menu
▾
▴
Re: [Snort-inline-users] My question is about snort and snort_inline.
|
From: Lance S. <la...@ho...> - 2004-10-07 03:14:40
|
On Oct 6, 2004, at 16:29, Michael Penland wrote: > All, > > snort and snort_inline. > > Should I run both ? > Is it true that snort catches things that inline doesn't and (vise > versa). > I see the HoneyNet project runs both. Actually, we run three instances on the Honeywall CDROM :) - We run snort-inline for the specific purpose of mitigating the risk of outbound connections from the honeypots. - We run snort in IDS mode to alert on all inbound activity. - We run snort in pcap mode to capture all network traffic. Snort has some additional security features that tcpdump does not have (specifically -u and -t). We did not want to enable IDS functionality with Snort for doing pcap, as the preprocessors modify the data you collect. So, snort/snort-inline can do many things, no one is better then the other, just depends on what you want to do :) lance |
