Snort.org home  
Got Source? About Snort About Sourcefire Snort FAQ
Sourcefire Network Security - the creators of Snort
Snort News Downloads Snort Docs Rules Snort Community Snort Forums Snort Training
Search Site
Search Rules
Account
email
password
not registered?
user preferences

Snort Forums Archive

Archive Home » Snort Advanced » Newbie question that I will leave to the experts to answer. :) Snort best practice?

Please note that the categories listed below represent an archived version of our forums pages. To view the current version and be able to post and reply to threads, please register and login here to go to the full forums pages.

[ Notice: Full Version of This Topic ]

Newbie question that I will leave to the experts to answer. :) Snort best practice?


Posted by Cliff on May 12, 2005 15:34:06

Sorry for the Newbie question on the Advanced setup side. I have been using IPTABLES mostly with linux (setup an old box as a firewall/gateway, tired of killing cheap linksys routers) and wanted to install something a bit more powerful or able I guess I can say.

Out of all the advanced users, what do most of you prefer for a configuration with snort. Its a loaded gun question since there are a lot of preferences. I've been looking at Snort inline but maybe there is a better method to get more detail of the traffic.

There are so many options. Just more curious of some best or better practices.

Thanks!! --Again, sorry for the newbie questions.

Posted by mehner on May 13, 2005 06:44:54

Personally I have been experimenting with the flexresp option. However, this is a slow process and actually deploying this in a prodution enviroment is probably not going to happen. I know that inline is being pushed more so then flexresp, and the Sourcefire vendors are supporting this method.

At work though, inline is a tough sell at this point. While it may do a better job of handling the viewing of data, it becomes a big target for other groups in the event of an issue. Which is why flexresp was more attractive/less intrusive of a solution.

If I was at home I would probably go with inline. It isn't production or a 5 9's environment, so if something happened you could always roll back to a linksys. Also, since you are comfortable with the IP tables, this should be good for you. The inline technology relies on the IP tables for stopping traffic vs. flex resp sending RST packets.


site feedback | Terms of Use | Privacy Policy | forum archives ©2008 Snort and Sourcefire are registered trademarks of Sourcefire, Inc. All rights reserved.