NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Snort IDS> current

[Snort-users] Multipal configurations: ids and ips modes.

From: Oleg Gvozdev (jktu17gmail.com)
Date: Tue May 07 2013 - 03:31:02 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hello
I have snort 2.9.3.1 and afpacket daq installed.

*MY GOAL:*

1. create several (e.g. 2) configurations of snort using "config binding"
2. have different modes in this configuration, for exeample: conf1 will run
in tap mode and conf2 (binded) will run in inline mode.
3.only on snort process must be run to acheive this goal

*QUESTIONS: *

*1. Is it possible?* I could'nt do it, because i need to specify "-Q" flag
for inline mode which is global and have the next problems:

1.to run snort in inline i need to specify "-Q" (w/o it snort complains:
"Adapter is in Passive Mode. Hence switching policy mode to tap.")
2.but with -Q switch i have an error from conf1: "FATAL ERROR: DAQ
'passive' mode incompatible with -Q! "

PS: from manual: config daq_* options is not configuration-specific and
they are global; but config policy_mode is config-specific and may differ
in case of multi-configurations config; so this is the problem.

PPS:
Here is my config (only topic-related things):

*File /etc/conf1.conf:*
config daq_dir : /usr/lib/daq
config daq : afpacket
config daq_mode : passive
config policy_mode : tap
config interface : eth1
config binding : /etc/conf2.conf net 10.0.0.0/24
config policy_version : base-version
config policy_id : 0

*File /etc/conf2.conf:*
config policy_mode : inline
config interface : eth1:eth2
config policy_version : base-version sub-version
config policy_id : 1

*2. Another question*: in case of multiple configurations: is it necessary
to include "config policy_id" options in each configurations and is option
"config policy_version :" is necessary ? May be I only need to use "config
binding FILE net IP" ?

------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and
their applications. This 200-page book is written by three acclaimed
leaders in the field. The early access version is available now.
Download your free book today! http://p.sf.net/sfu/neotech_d2d_may

_______________________________________________
Snort-users mailing list
Snort-userslists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]