[Oisf-users] IPS alternatives to Snort's guardian?

John Devine john.devine at nuspire.com
Wed Jan 27 22:13:21 UTC 2016


Ubuntu 14.04 is Jessie, not Wheezy. Changing my OS is not really an option.


________________________________
From: Leonard Jacobs <ljacobs at netsecuris.com>
Sent: Wednesday, January 27, 2016 5:09 PM
To: John Devine
Subject: Re: [Oisf-users] IPS alternatives to Snort's guardian?

We run Ubuntu 14.04 LTS, with Suricata in AF-Packet mode as IPS.  It is all written up in the documentation.  No firewall needed in that mode.




From: John Devine <john.devine at nuspire.com>
To: Leonard Jacobs <ljacobs at netsecuris.com>, "oisf-users at lists.openinfosecfoundation.org" <oisf-users at lists.openinfosecfoundation.org>
Sent: 1/27/2016 4:07 PM
Subject: Re: [Oisf-users] IPS alternatives to Snort's guardian?


I am running the wheezy backport and according to the documentation I've read Suricata needs to be in nfqueue mode to run as an IPS. In order for that to work it needs to have traffic forwarded through it and I don't want to have that be the only active firewall on the box because I have other systems (proxy etc.) tied in to iptables. I would prefer to have an IDS essentially as a packet sniffer and have a separate piece of software create iptables rules based on those alerts. Currently I am doing exactly that with Snort (IDS) and Guardian (IPS). Though I am currently working with Suricata to see if I can integrate it in this regard ultimately to replace Snort.


________________________________
From: Leonard Jacobs <ljacobs at netsecuris.com>
Sent: Wednesday, January 27, 2016 4:59 PM
To: John Devine; oisf-users at lists.openinfosecfoundation.org
Subject: Re: [Oisf-users] IPS alternatives to Snort's guardian?

As a OISF Board Member, why would you not want to run Suricata in IPS mode?  AF-Packet mode works great as IPS.



From: John Devine <john.devine at nuspire.com>
To: "oisf-users at lists.openinfosecfoundation.org" <oisf-users at lists.openinfosecfoundation.org>
Sent: 1/27/2016 2:10 PM
Subject: [Oisf-users] IPS alternatives to Snort's guardian?


Hi all,

Currently I run snort as an IDS and guardian as an IPS. I am looking for alternatives to guardian for IPS software because guardian does not allow me to manually unblock specific IP addresses or change the duration of which something is blocked without some hassle or custom scripts. I have been messing around with Suricata and have successfully got it running both in IDS and IPS mode and alerting successfully. Right now I want to run Suricata as an IDS and have some other open source software to run as my IPS. Are there any decent alternatives to guardian.pl which allow me to manually unblock specific IP addresses and change the length of time in which something is blocked? I am looking for a good IPS 'companion' to run in tandem with Suricata.

Thanks in advance


_______________________________________________
Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
Suricata User Conference November 9-11 in Washington, DC: http://oisfevents.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20160127/c622ca6a/attachment-0002.html>


More information about the Oisf-users mailing list