[Oisf-users] Suricata - Reject in one-arm IPS/IDS mode
Rovnov Pavel
provnov at solidex.by
Mon Mar 23 19:09:11 UTC 2015
Hello Coop, Anthony,
I don't control neither users nor web servers. So I can't instruct users
to use proxy or run all web applications through reverse-proxy.
Inline mode is not acceptable in my scenario (let me say the guy who
owns infrastructure doesn't allow me to be inline).
What I can is to use mirrored traffic to do my analysis. So the question
remains the same:
1) Can I use reject when out-of-band?
2) How can I specify interface to send rejects from? I can't use
2-way SPAN port on my switch.
Thanks!
-----Original Message-----
From: Cooper F. Nelson [mailto:cnelson at ucsd.edu]
Sent: Monday, March 23, 2015 9:59 PM
To: Rodgers, Anthony (DTMB); Rovnov Pavel;
oisf-users at lists.openinfosecfoundation.org
Subject: Re: [Oisf-users] Suricata - Reject in one-arm IPS/IDS mode
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
+1 to using a web proxy. Squid is free.
You can even run suricata inline on a squid proxy and create a robust,
next-generation proxy-firewall with Layer-7 intrusion
detection/prevention.
- -Coop
On 3/23/2015 9:17 AM, Rodgers, Anthony (DTMB) wrote:
> Why not use a web proxy like squid for this?
>
>
>
> --
>
> Anthony Rodgers
>
> Security Analyst
>
> Michigan Security Operations Center (MiSOC)
>
> DTMB, Michigan Cyber Security
>
- --
Cooper Nelson
Network Security Analyst
UCSD ACT Security Team
cnelson at ucsd.edu x41042
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)
iQEcBAEBAgAGBQJVEGJiAAoJEKIFRYQsa8FW3r0IAMqQg8MAiFsEvtQVDDKguCVs
lhSpi3BWo6o4ZSvAVb0TBckzbIybS/H2EKDygSYabNwxCpjMf0Lu2OrJVKy2RVKS
+eawDcvztSWDyg2HhMaznpv3XcNjvMhU3HG59k2/0T0YNi7Y5YTMS+QmFAsuJzX+
+SWBMttonPIwDste0ArhMBOBmL5zi3azz5Bt066WAu6sdTfFqXXh7pzV2aEgocLH
V+o2CdubRdyAjNQNRlZ8rxJ1Xab6ZUYwp25BfUSyC11pShQt31ojnjleZARBY7JQ
Sa639d06f7Vd6IjsiukR8RUF6ImhR6oxQhrYgFx2kXCyCnuAiAm/1m7EaS6Yz/A=
=8UL5
-----END PGP SIGNATURE-----
More information about the Oisf-users
mailing list