[Oisf-users] Suricata - Reject in one-arm IPS/IDS mode

Rovnov Pavel provnov at solidex.by
Fri Mar 27 14:21:01 UTC 2015


Victor,

Thanks a lot for information!

Pavel

-----Original Message-----
From: oisf-users-bounces at lists.openinfosecfoundation.org
[mailto:oisf-users-bounces at lists.openinfosecfoundation.org] On Behalf Of
Victor Julien
Sent: Friday, March 27, 2015 1:50 PM
To: oisf-users at lists.openinfosecfoundation.org
Subject: Re: [Oisf-users] Suricata - Reject in one-arm IPS/IDS mode

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 03/23/2015 08:09 PM, Rovnov Pavel wrote:
> Hello Coop, Anthony,
> 
> I don't control neither users nor web servers. So I can't instruct 
> users to use proxy or run all web applications through reverse-proxy.
> 
> Inline mode is not acceptable in my scenario (let me say the guy who 
> owns infrastructure doesn't allow me to be inline).
> 
> What I can is to use mirrored traffic to do my analysis. So the 
> question remains the same:
> 
> 1)	Can I use reject when out-of-band?

Yeah.

> 2)	How can I specify interface to send rejects from? I can't use 
> 2-way SPAN port on my switch.

Not sure here. I think you'd need another nic thats on your switch. We
use libnet, not sure how it selects the nic to use. Might use the nic
that has a valid route to the destination? Think you'll need to
experiment here.

Cheers,
Victor


> 
> Thanks!
> 
> -----Original Message----- From: Cooper F. Nelson 
> [mailto:cnelson at ucsd.edu] Sent: Monday, March 23, 2015 9:59 PM To:
> Rodgers, Anthony (DTMB); Rovnov Pavel; 
> oisf-users at lists.openinfosecfoundation.org Subject: Re:
> [Oisf-users] Suricata - Reject in one-arm IPS/IDS mode
> 
> +1 to using a web proxy.  Squid is free.
> 
> You can even run suricata inline on a squid proxy and create a robust,

> next-generation proxy-firewall with Layer-7 intrusion 
> detection/prevention.
> 
> -Coop
> 
> On 3/23/2015 9:17 AM, Rodgers, Anthony (DTMB) wrote:
>> Why not use a web proxy like squid for this?
> 
> 
> 
>> --
> 
>> Anthony Rodgers
> 
>> Security Analyst
> 
>> Michigan Security Operations Center (MiSOC)
> 
>> DTMB, Michigan Cyber Security
> 
> 
> _______________________________________________ Suricata IDS Users 
> mailing list: oisf-users at openinfosecfoundation.org Site:
> http://suricata-ids.org | Support:
> http://suricata-ids.org/support/ List:
> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
> 
Training now available: http://suricata-ids.org/training/
> 

- --
- ---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
- ---------------------------------------------

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBAgAGBQJVFTXIAAoJEMH0leOSaFa0mO8H/05kirfk52HYTIOwVmqFytqG
XseeP3BYaLPL6W/f9/+XCU+gqpZn+BbaBG3znot1pXKeEAuNrVzjrT228ASpbIsV
6ymTBuyOwgTXYvofW47sCEpRlcc5fukAqWYTxmmrLQJpfMMjUfq9v74IqJBeL0x2
Cu9VHICY9RxDyYUBYSakGX4DeVmTIYNdEYw5qe0jdw+2Ikv4v27ef1Sm5cpknKLG
AWGeflIEiQWWuMkRxw1HMMdbc3mmniA3tbzuktvp88o6vsKBlgoa45SsX0EvfjeL
rn5Q7q46ehOblJp+94pfHC20dbZUGmcO7Ax9VFGhDeeuxn1baPahuTcuoRsuyz4=
=YRJv
-----END PGP SIGNATURE-----
_______________________________________________
Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
Site: http://suricata-ids.org | Support:
http://suricata-ids.org/support/
List:
https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
Training now available: http://suricata-ids.org/training/



More information about the Oisf-users mailing list