[Oisf-users] Suricata - Reject in one-arm IPS/IDS mode
Rovnov Pavel
provnov at solidex.by
Fri Mar 27 14:21:01 UTC 2015
Victor,
Thanks a lot for information!
Pavel
-----Original Message-----
From: oisf-users-bounces at lists.openinfosecfoundation.org
[mailto:oisf-users-bounces at lists.openinfosecfoundation.org] On Behalf Of
Victor Julien
Sent: Friday, March 27, 2015 1:50 PM
To: oisf-users at lists.openinfosecfoundation.org
Subject: Re: [Oisf-users] Suricata - Reject in one-arm IPS/IDS mode
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 03/23/2015 08:09 PM, Rovnov Pavel wrote:
> Hello Coop, Anthony,
>
> I don't control neither users nor web servers. So I can't instruct
> users to use proxy or run all web applications through reverse-proxy.
>
> Inline mode is not acceptable in my scenario (let me say the guy who
> owns infrastructure doesn't allow me to be inline).
>
> What I can is to use mirrored traffic to do my analysis. So the
> question remains the same:
>
> 1) Can I use reject when out-of-band?
Yeah.
> 2) How can I specify interface to send rejects from? I can't use
> 2-way SPAN port on my switch.
Not sure here. I think you'd need another nic thats on your switch. We
use libnet, not sure how it selects the nic to use. Might use the nic
that has a valid route to the destination? Think you'll need to
experiment here.
Cheers,
Victor
>
> Thanks!
>
> -----Original Message----- From: Cooper F. Nelson
> [mailto:cnelson at ucsd.edu] Sent: Monday, March 23, 2015 9:59 PM To:
> Rodgers, Anthony (DTMB); Rovnov Pavel;
> oisf-users at lists.openinfosecfoundation.org Subject: Re:
> [Oisf-users] Suricata - Reject in one-arm IPS/IDS mode
>
> +1 to using a web proxy. Squid is free.
>
> You can even run suricata inline on a squid proxy and create a robust,
> next-generation proxy-firewall with Layer-7 intrusion
> detection/prevention.
>
> -Coop
>
> On 3/23/2015 9:17 AM, Rodgers, Anthony (DTMB) wrote:
>> Why not use a web proxy like squid for this?
>
>
>
>> --
>
>> Anthony Rodgers
>
>> Security Analyst
>
>> Michigan Security Operations Center (MiSOC)
>
>> DTMB, Michigan Cyber Security
>
>
> _______________________________________________ Suricata IDS Users
> mailing list: oisf-users at openinfosecfoundation.org Site:
> http://suricata-ids.org | Support:
> http://suricata-ids.org/support/ List:
> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
>
Training now available: http://suricata-ids.org/training/
>
- --
- ---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
- ---------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQEcBAEBAgAGBQJVFTXIAAoJEMH0leOSaFa0mO8H/05kirfk52HYTIOwVmqFytqG
XseeP3BYaLPL6W/f9/+XCU+gqpZn+BbaBG3znot1pXKeEAuNrVzjrT228ASpbIsV
6ymTBuyOwgTXYvofW47sCEpRlcc5fukAqWYTxmmrLQJpfMMjUfq9v74IqJBeL0x2
Cu9VHICY9RxDyYUBYSakGX4DeVmTIYNdEYw5qe0jdw+2Ikv4v27ef1Sm5cpknKLG
AWGeflIEiQWWuMkRxw1HMMdbc3mmniA3tbzuktvp88o6vsKBlgoa45SsX0EvfjeL
rn5Q7q46ehOblJp+94pfHC20dbZUGmcO7Ax9VFGhDeeuxn1baPahuTcuoRsuyz4=
=YRJv
-----END PGP SIGNATURE-----
_______________________________________________
Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
Site: http://suricata-ids.org | Support:
http://suricata-ids.org/support/
List:
https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
Training now available: http://suricata-ids.org/training/
More information about the Oisf-users
mailing list