[Oisf-users] Suricata - Reject in one-arm IPS/IDS mode

Rovnov Pavel provnov at solidex.by
Mon Mar 23 19:09:11 UTC 2015


Hello Coop, Anthony,

I don't control neither users nor web servers. So I can't instruct users
to use proxy or run all web applications through reverse-proxy.

Inline mode is not acceptable in my scenario (let me say the guy who
owns infrastructure doesn't allow me to be inline).

What I can is to use mirrored traffic to do my analysis. So the question
remains the same:

1)	Can I use reject when out-of-band?

2)	How can I specify interface to send rejects from? I can't use
2-way SPAN port on my switch.


Thanks!

-----Original Message-----
From: Cooper F. Nelson [mailto:cnelson at ucsd.edu] 
Sent: Monday, March 23, 2015 9:59 PM
To: Rodgers, Anthony (DTMB); Rovnov Pavel;
oisf-users at lists.openinfosecfoundation.org
Subject: Re: [Oisf-users] Suricata - Reject in one-arm IPS/IDS mode

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

+1 to using a web proxy.  Squid is free.

You can even run suricata inline on a squid proxy and create a robust,
next-generation proxy-firewall with Layer-7 intrusion
detection/prevention.

- -Coop

On 3/23/2015 9:17 AM, Rodgers, Anthony (DTMB) wrote:
> Why not use a web proxy like squid for this?
> 
>  
> 
> --
> 
> Anthony Rodgers
> 
> Security Analyst
> 
> Michigan Security Operations Center (MiSOC)
> 
> DTMB, Michigan Cyber Security
> 

- --
Cooper Nelson
Network Security Analyst
UCSD ACT Security Team
cnelson at ucsd.edu x41042
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)

iQEcBAEBAgAGBQJVEGJiAAoJEKIFRYQsa8FW3r0IAMqQg8MAiFsEvtQVDDKguCVs
lhSpi3BWo6o4ZSvAVb0TBckzbIybS/H2EKDygSYabNwxCpjMf0Lu2OrJVKy2RVKS
+eawDcvztSWDyg2HhMaznpv3XcNjvMhU3HG59k2/0T0YNi7Y5YTMS+QmFAsuJzX+
+SWBMttonPIwDste0ArhMBOBmL5zi3azz5Bt066WAu6sdTfFqXXh7pzV2aEgocLH
V+o2CdubRdyAjNQNRlZ8rxJ1Xab6ZUYwp25BfUSyC11pShQt31ojnjleZARBY7JQ
Sa639d06f7Vd6IjsiukR8RUF6ImhR6oxQhrYgFx2kXCyCnuAiAm/1m7EaS6Yz/A=
=8UL5
-----END PGP SIGNATURE-----



More information about the Oisf-users mailing list