[Oisf-users] IPS alternatives to Snort's guardian?
Eric Leblond
eric at regit.org
Wed Jan 27 22:29:27 UTC 2016
Hello,
On Wed, 2016-01-27 at 22:07 +0000, John Devine wrote:
> I am running the wheezy backport and according to the documentation
> I've read Suricata needs to be in nfqueue mode to run as an IPS. In
> order for that to work it needs to have traffic forwarded through it
> and I don't want to have that be the only active firewall on the box
> because I have other systems (proxy etc.) tied in to iptables.
You can update your iptables ruleset to have everything working
together. I've described some possible setup in my blog:
https://home.regit.org/2011/04/some-new-features-of-ips-mode-in-suricat
a-1-1beta2/
It is not straightforward but it can be done via some of the available
suricata options.
Not resisting to mention is is so much easier with nftables:
https://home.regit.org/2014/02/suricata-and-nftables/
> I would prefer to have an IDS essentially as a packet sniffer and
> have a separate piece of software create iptables rules based on
> those alerts. Currently I am doing exactly that with Snort (IDS) and
> Guardian (IPS). Though I am currently working with Suricata to see if
> I can integrate it in this regard ultimately to replace Snort.
Almost sure you can replace guardian with a modified version of DOM. If
you can't code it, let me know what type of configuration you want and
I will get a look to see if it is feasible.
BR,
>
>
> From: Leonard Jacobs <ljacobs at netsecuris.com>
> Sent: Wednesday, January 27, 2016 4:59 PM
> To: John Devine; oisf-users at lists.openinfosecfoundation.org
> Subject: Re: [Oisf-users] IPS alternatives to Snort's guardian?
>
> As a OISF Board Member, why would you not want to run Suricata in IPS
> mode? AF-Packet mode works great as IPS.
>
>
>
> From: John Devine <john.devine at nuspire.com>
> To: "oisf-users at lists.openinfosecfoundation.org" <oisf-users at lists.op
> eninfosecfoundation.org>
> Sent: 1/27/2016 2:10 PM
> Subject: [Oisf-users] IPS alternatives to Snort's guardian?
>
> Hi all,
>
> Currently I run snort as an IDS and guardian as an IPS. I am looking
> for alternatives to guardian for IPS software because guardian does
> not allow me to manually unblock specific IP addresses or change the
> duration of which something is blocked without some hassle or custom
> scripts. I have been messing around with Suricata and have
> successfully got it running both in IDS and IPS mode and alerting
> successfully. Right now I want to run Suricata as an IDS and have
> some other open source software to run as my IPS. Are there any
> decent alternatives to guardian.pl which allow me to manually unblock
> specific IP addresses and change the length of time in which
> something is blocked? I am looking for a good IPS 'companion' to run
> in tandem with Suricata.
>
> Thanks in advance
>
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/supp
> ort/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-u
> sers
> Suricata User Conference November 9-11 in Washington, DC: http://oisf
> events.net
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/supp
> ort/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-u
> sers
> Suricata User Conference November 9-11 in Washington, DC: http://oisf
> events.net
--
Eric Leblond <eric at regit.org>
More information about the Oisf-users
mailing list