Hello:
Thanks for all your answers. Wel i think too the best aproach for this
is doing on iptables like Will say.. but if we really want a IPS with
snort maybe we can start to think on that solution. Maybe people of
sourcefire can plant this solution for future releases.
If snort in future can handle the connections with syn proxy or (seudo
syn proxy) validating the real one's before they can pass can start to
think in the best IPS of the World
Well, i have to continue with my two boxes.... Like Matt say... right
now i have a Linux-Snorted behind a BSD.... and that is not elegant....
A firewall behind another one?
Regards
Xavier Cabrera.
Will Metcalf wrote:
I could think of a way to do this, it probably wouldn't be very clean
and would more than likely require an ip stack to be loaded on your
inline box.
This is really something that should be handled in netfilter rather
than in snort-inline. If packets make it to the queue and you have a
lot of spoofed packets your DoS isn't going to be on the end host your
trying to protect, it's going to be your inline box dealing with all
the damn context switching between user space and kernel space.
Regards,
Will
On 7/19/05, Matt Kettler <mkettler@evi-inc.com> wrote:
Xavier Cabrera wrote:
Anyone know how snort can work like a Syn Proxy in inline mode?
Not that I'm aware of.. Ultimately I think you'll have to do this in two stages,
something like this:
PC -> syn proxy -> snort inline -> Internet
You might be able to wrap it all up on the same box by using two interfaces and
have the proxy tool running on the inside interface, and then inline snort on
the outside.
Something like this:
inside interface ->syn proxy -> OS routing -> snort inline -> outside interface
but I'm not up-to-speed on all the syn proxy tools out there, or snort's current
inline support.
-------------------------------------------------------
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
-------------------------------------------------------
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
