[Oisf-users] Suricata - Reject in one-arm IPS/IDS mode
Brian Hennigar
bhennigar at gmail.com
Thu Apr 2 02:51:32 UTC 2015
Did you have any success with libnet for rejects?
I've been trying to get it working and the results haven't been promising.
Occasionally the connection will break on a reject rule but never fast
enough.
On Fri, Mar 27, 2015 at 11:21 AM, Rovnov Pavel <provnov at solidex.by> wrote:
> Victor,
>
> Thanks a lot for information!
>
> Pavel
>
> -----Original Message-----
> From: oisf-users-bounces at lists.openinfosecfoundation.org
> [mailto:oisf-users-bounces at lists.openinfosecfoundation.org] On Behalf Of
> Victor Julien
> Sent: Friday, March 27, 2015 1:50 PM
> To: oisf-users at lists.openinfosecfoundation.org
> Subject: Re: [Oisf-users] Suricata - Reject in one-arm IPS/IDS mode
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 03/23/2015 08:09 PM, Rovnov Pavel wrote:
> > Hello Coop, Anthony,
> >
> > I don't control neither users nor web servers. So I can't instruct
> > users to use proxy or run all web applications through reverse-proxy.
> >
> > Inline mode is not acceptable in my scenario (let me say the guy who
> > owns infrastructure doesn't allow me to be inline).
> >
> > What I can is to use mirrored traffic to do my analysis. So the
> > question remains the same:
> >
> > 1) Can I use reject when out-of-band?
>
> Yeah.
>
> > 2) How can I specify interface to send rejects from? I can't use
> > 2-way SPAN port on my switch.
>
> Not sure here. I think you'd need another nic thats on your switch. We
> use libnet, not sure how it selects the nic to use. Might use the nic
> that has a valid route to the destination? Think you'll need to
> experiment here.
>
> Cheers,
> Victor
>
>
> >
> > Thanks!
> >
> > -----Original Message----- From: Cooper F. Nelson
> > [mailto:cnelson at ucsd.edu] Sent: Monday, March 23, 2015 9:59 PM To:
> > Rodgers, Anthony (DTMB); Rovnov Pavel;
> > oisf-users at lists.openinfosecfoundation.org Subject: Re:
> > [Oisf-users] Suricata - Reject in one-arm IPS/IDS mode
> >
> > +1 to using a web proxy. Squid is free.
> >
> > You can even run suricata inline on a squid proxy and create a robust,
>
> > next-generation proxy-firewall with Layer-7 intrusion
> > detection/prevention.
> >
> > -Coop
> >
> > On 3/23/2015 9:17 AM, Rodgers, Anthony (DTMB) wrote:
> >> Why not use a web proxy like squid for this?
> >
> >
> >
> >> --
> >
> >> Anthony Rodgers
> >
> >> Security Analyst
> >
> >> Michigan Security Operations Center (MiSOC)
> >
> >> DTMB, Michigan Cyber Security
> >
> >
> > _______________________________________________ Suricata IDS Users
> > mailing list: oisf-users at openinfosecfoundation.org Site:
> > http://suricata-ids.org | Support:
> > http://suricata-ids.org/support/ List:
> > https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> >
> >
> Training now available: http://suricata-ids.org/training/
> >
>
> - --
> - ---------------------------------------------
> Victor Julien
> http://www.inliniac.net/
> PGP: http://www.inliniac.net/victorjulien.asc
> - ---------------------------------------------
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1
>
> iQEcBAEBAgAGBQJVFTXIAAoJEMH0leOSaFa0mO8H/05kirfk52HYTIOwVmqFytqG
> XseeP3BYaLPL6W/f9/+XCU+gqpZn+BbaBG3znot1pXKeEAuNrVzjrT228ASpbIsV
> 6ymTBuyOwgTXYvofW47sCEpRlcc5fukAqWYTxmmrLQJpfMMjUfq9v74IqJBeL0x2
> Cu9VHICY9RxDyYUBYSakGX4DeVmTIYNdEYw5qe0jdw+2Ikv4v27ef1Sm5cpknKLG
> AWGeflIEiQWWuMkRxw1HMMdbc3mmniA3tbzuktvp88o6vsKBlgoa45SsX0EvfjeL
> rn5Q7q46ehOblJp+94pfHC20dbZUGmcO7Ax9VFGhDeeuxn1baPahuTcuoRsuyz4=
> =YRJv
> -----END PGP SIGNATURE-----
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support:
> http://suricata-ids.org/support/
> List:
> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Training now available: http://suricata-ids.org/training/
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Training now available: http://suricata-ids.org/training/
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20150401/8f34632c/attachment.html>
More information about the Oisf-users
mailing list