[Oisf-users] IPS alternatives to Snort's guardian?
Leonard Jacobs
ljacobs at netsecuris.com
Wed Jan 27 22:26:01 UTC 2016
AF-Packet is in the Linux kernel. I believe that means it ready does not matter what operating system it is as long as the proper kernel level is used.
https://home.regit.org/2012/09/new-af_packet-ips-mode-in-suricata/
From: John Devine <john.devine at nuspire.com>
To: Leonard Jacobs <ljacobs at netsecuris.com>
Sent: 1/27/2016 4:12 PM
Subject: Re: [Oisf-users] IPS alternatives to Snort's guardian?
Ubuntu 14.04 is Jessie, not Wheezy. Changing my OS is not really an option.
----------------
From: Leonard Jacobs <ljacobs at netsecuris.com>
Sent: Wednesday, January 27, 2016 5:09 PM
To: John Devine
Subject: Re: [Oisf-users] IPS alternatives to Snort's guardian?
We run Ubuntu 14.04 LTS, with Suricata in AF-Packet mode as IPS. It is all written up in the documentation. No firewall needed in that mode.
From: John Devine <john.devine at nuspire.com>
To: Leonard Jacobs <ljacobs at netsecuris.com>, "oisf-users at lists.openinfosecfoundation.org" <oisf-users at lists.openinfosecfoundation.org>
Sent: 1/27/2016 4:07 PM
Subject: Re: [Oisf-users] IPS alternatives to Snort's guardian?
I am running the wheezy backport and according to the documentation I've read Suricata needs to be in nfqueue mode to run as an IPS. In order for that to work it needs to have traffic forwarded through it and I don't want to have that be the only active firewall on the box because I have other systems (proxy etc.) tied in to iptables. I would prefer to have an IDS essentially as a packet sniffer and have a separate piece of software create iptables rules based on those alerts. Currently I am doing exactly that with Snort (IDS) and Guardian (IPS). Though I am currently working with Suricata to see if I can integrate it in this regard ultimately to replace Snort.
----------------
From: Leonard Jacobs <ljacobs at netsecuris.com>
Sent: Wednesday, January 27, 2016 4:59 PM
To: John Devine; oisf-users at lists.openinfosecfoundation.org
Subject: Re: [Oisf-users] IPS alternatives to Snort's guardian?
As a OISF Board Member, why would you not want to run Suricata in IPS mode? AF-Packet mode works great as IPS.
From: John Devine <john.devine at nuspire.com>
To: "oisf-users at lists.openinfosecfoundation.org" <oisf-users at lists.openinfosecfoundation.org>
Sent: 1/27/2016 2:10 PM
Subject: [Oisf-users] IPS alternatives to Snort's guardian?
Hi all,
Currently I run snort as an IDS and guardian as an IPS. I am looking for alternatives to guardian for IPS software because guardian does not allow me to manually unblock specific IP addresses or change the duration of which something is blocked without some hassle or custom scripts. I have been messing around with Suricata and have successfully got it running both in IDS and IPS mode and alerting successfully. Right now I want to run Suricata as an IDS and have some other open source software to run as my IPS. Are there any decent alternatives to guardian.pl which allow me to manually unblock specific IP addresses and change the length of time in which something is blocked? I am looking for a good IPS 'companion' to run in tandem with Suricata.
Thanks in advance
_______________________________________________
Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
Suricata User Conference November 9-11 in Washington, DC: http://oisfevents.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20160127/9e4d5760/attachment-0002.html>
More information about the Oisf-users
mailing list