Menu
▾
▴
Re: [Snort-inline-users] Preprocessors and states
|
From: Pieter V. <pv...@ab...> - 2005-08-03 11:46:36
|
>No it is not a good idea, you need to send RELATED,ESTABLISHED traffic >as well. State NEW is only valid for the first packet in a connection. > Your going to miss a lot of traffic, actually there really shouldn't >be data in your first syn so the only reason sneeze worked is because >you did not use the --syn flag along with your state NEW rule in >iptables, or you are not passing enforce_state to stream4 > >Regards, > >Will > > > I tested it with ICMP rules so no sync present ;) Ok, so I better send all traffic through snort-inline. But then I get a higher load due to kernel- userland transits. So I'm searching for an alternative way of performing IPS with snort. I checked the snort docs again and found some alert target rules, i.e. react and resp post detection rule options, also allow blocking by snort (i.e. IPS funcitonality). Using these statements allow using snort normally. Are there any other ways to perform IPS with snort? What are the pros and contras of using snort-inline and using snort normally with the react and resp detection rules? The docs already indicate that react and resp rules will not be usefull for UDP traffic. kind regards, Pieter Able -- NEW: aXs GUARD hands-on Trainings v.7.0 more info at http://www.axsguard.com/indextraining.htm aXs GUARD has completed security and anti-virus checks on this e-mail (http://www.axsguard.com) --------------------------------------------------- Able NV: ond.nr 0457.938.087 |
