Thread: [Snort-inline-users] My question is about snort and snort_inline.

Brought to you by: count_zero_rod, redmaze, vicjul78

snort-inline-users

[Snort-inline-users] My question is about snort and snort_inline.

From: Michael P. <mpe...@ho...> - 2004-10-06 21:30:14

All,

snort and snort_inline.

Should I run both ?
Is it true that snort catches things that inline doesn't and (vise versa).
I see the HoneyNet project runs both.
Just wanted to clear the discrepancy.

Thanks,
MGP

_________________________________________________________________
Express yourself instantly with MSN Messenger! Download today - it's FREE! 
http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/

Re: [Snort-inline-users] My question is about snort and snort_inline.

From: Will M. <wil...@gm...> - 2004-10-07 03:06:24

Michael,

I wouldn't say that one is better than the other, or that one misses
things that the other doesn't.  snort_inline is essentially just a
patch to mainline snort to allow us to leverage userspace queueing via
iptables to analyze and perform IPS functionality using the snort
detection engine and signature database.  I think Rob said it best

"Think of this as an Intrusion Prevention System (IPS) that uses
existing Intrusion Detection System (IDS) signatures to make decisions
on packets that traverse snort_inline."

BTW snort_inline users, Victor and I are developing a sticky-drop
preprocessor/detection plug in hybrid.  When we are finished you will
be able to use the preproc and the snort rule language to set up
blocks for set periods of time.

An example would be to drop all traffic from an attacker that has
triggered a portscan alert for the next 10 minutes.  Things of that
nature.

If there is anything else you guy's want to see in snort_inline please
let me know.

Regards,

Will

On Wed, 06 Oct 2004 17:29:43 -0400, Michael Penland
<mpe...@ho...> wrote:
> All,
> 
> snort and snort_inline.
> 
> Should I run both ?
> Is it true that snort catches things that inline doesn't and (vise versa).
> I see the HoneyNet project runs both.
> Just wanted to clear the discrepancy.
> 
> Thanks,
> MGP
> 
> _________________________________________________________________
> Express yourself instantly with MSN Messenger! Download today - it's FREE!
> http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/
> 
> -------------------------------------------------------
> This SF.net email is sponsored by: IT Product Guide on ITManagersJournal
> Use IT products in your business? Tell us what you think of them. Give us
> Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more
> http://productguide.itmanagersjournal.com/guidepromo.tmpl
> _______________________________________________
> Snort-inline-users mailing list
> Sno...@li...
> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
>

Re: [Snort-inline-users] My question is about snort and snort_inline.

From: Lance S. <la...@ho...> - 2004-10-07 03:14:40

On Oct 6, 2004, at 16:29, Michael Penland wrote:

> All,
>
> snort and snort_inline.
>
> Should I run both ?
> Is it true that snort catches things that inline doesn't and (vise 
> versa).
> I see the HoneyNet project runs both.

Actually, we run three instances on the Honeywall CDROM :)

- We run snort-inline for the specific purpose of mitigating the risk 
of outbound connections from the honeypots.
- We run snort in IDS mode to alert on all inbound activity.
- We run snort in pcap mode to capture all network traffic.  Snort has 
some additional security features that tcpdump does not have 
(specifically -u and -t).   We did not want to enable IDS functionality 
with Snort for doing pcap, as the preprocessors modify the data you 
collect.

So, snort/snort-inline can do many things, no one is better then the 
other, just depends on what you want to do :)

lance