[Oisf-users] IPS alternatives to Snort's guardian?

John Devine john.devine at nuspire.com
Thu Jan 28 14:53:12 UTC 2016


They way I have my iptables rules set up currently for suricata in IPS mode is as follows:

iptables -N FORWARD-NFQ
iptables -A INPUT -j FORWARD-NFQ  
iptables -A FORWARD -j NFQUEUE

I create a new chain (FORWARD-NFQ) for the NFQ forwarding, append a jump in my INPUT chain to that new chain and finally add the NFQUEUE forwarding into that new chain. This allows traffic to still pass through my input chain rules as well as nfq for suricata.

________________________________________
From: Eric Leblond <eric at regit.org>
Sent: Wednesday, January 27, 2016 5:29 PM
To: John Devine; Leonard Jacobs; oisf-users at lists.openinfosecfoundation.org
Subject: Re: [Oisf-users] IPS alternatives to Snort's guardian?

Hello,

On Wed, 2016-01-27 at 22:07 +0000, John Devine wrote:
> I am running the wheezy backport and according to the documentation
> I've read Suricata needs to be in nfqueue mode to run as an IPS. In
> order for that to work it needs to have traffic forwarded through it
> and I don't want to have that be the only active firewall on the box
> because I have other systems (proxy etc.) tied in to iptables.

You can update your iptables ruleset to have everything working
together. I've described some possible setup in my blog:

https://home.regit.org/2011/04/some-new-features-of-ips-mode-in-suricat
a-1-1beta2/

It is not straightforward but it can be done via some of the available
suricata options.

Not resisting to mention is is so much easier with nftables:
https://home.regit.org/2014/02/suricata-and-nftables/

>  I would prefer to have an IDS essentially as a packet sniffer and
> have a separate piece of software create iptables rules based on
> those alerts. Currently I am doing exactly that with Snort (IDS) and
> Guardian (IPS). Though I am currently working with Suricata to see if
> I can integrate it in this regard ultimately to replace Snort.

Almost sure you can replace guardian with a modified version of DOM. If
you can't code it, let me know what type of configuration you want and
I will get a look to see if it is feasible.

BR,

>
>
> From: Leonard Jacobs <ljacobs at netsecuris.com>
> Sent: Wednesday, January 27, 2016 4:59 PM
> To: John Devine; oisf-users at lists.openinfosecfoundation.org
> Subject: Re: [Oisf-users] IPS alternatives to Snort's guardian?
>
> As a OISF Board Member, why would you not want to run Suricata in IPS
> mode?  AF-Packet mode works great as IPS.
>
>
>
> From: John Devine <john.devine at nuspire.com> To: "oisf-users at lists.openinfosecfoundation.org" <oisf-users at lists.op
> eninfosecfoundation.org> 
> Sent: 1/27/2016 2:10 PM
> Subject: [Oisf-users] IPS alternatives to Snort's guardian?
>
> Hi all,
>
> Currently I run snort as an IDS and guardian as an IPS. I am looking
> for alternatives to guardian for IPS software because guardian does
> not allow me to manually unblock specific IP addresses or change the
> duration of which something is blocked without some hassle or custom
> scripts. I have been messing around with Suricata and have
> successfully got it running both in IDS and IPS mode and alerting
> successfully. Right now I want to run Suricata as an IDS and have
> some other open source software to run as my IPS. Are there any
> decent alternatives to guardian.pl which allow me to manually unblock
> specific IP addresses and change the length of time in which
> something is blocked? I am looking for a good IPS 'companion' to run
> in tandem with Suricata.
>
> Thanks in advance
>
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/supp
> ort/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-u
> sers
> Suricata User Conference November 9-11 in Washington, DC: http://oisf
> events.net
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/supp
> ort/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-u
> sers
> Suricata User Conference November 9-11 in Washington, DC: http://oisf
> events.net
--
Eric Leblond <eric at regit.org>






More information about the Oisf-users mailing list