LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 01-14-2014, 07:27 AM   #1
shawretti
LQ Newbie
 
Registered: Jan 2014
Posts: 3

Rep: Reputation: Disabled
how to setup intrusion prevention system


Hello Guys,

We have compile Linux version gateway router firewall for 100 users which is combo squid + iptables.

Control policy are useless with squid as its not able to block non-http traffic, Torrent and Skype.

Intrusion prevention system can block non http and other attacks.

Need help to decide what is best option for us between Snort and Suricata ?
 
Old 01-14-2014, 08:29 AM   #2
ericson007
Member
 
Registered: Sep 2004
Location: Japan
Distribution: CentOS 7.1
Posts: 656

Rep: Reputation: 121Reputation: 121
Both of those are the same crap just a different smell. Not that they are crap, just an expression, but it is essentially the same thing. Some vote snort, some suricata, but i am still to understand the greatnes between one or the other. Snort is the older, suricata the newer but the rules are compatible. I suppose there are small differences but nothing that makes me draw a clear winner.

They are ids not ips though. For ips functionality, the easiest way is snort on pfsense. It adds the blocking filters.
 
Old 01-14-2014, 08:46 AM   #3
shawretti
LQ Newbie
 
Registered: Jan 2014
Posts: 3

Original Poster
Rep: Reputation: Disabled
Wink

Thanks Ericson007,

Well signatures are same. Just checked snorby reporting app.

also found few Distributions Containing Suricata and there installation docs.

Giving it a try on my centos VM first.
 
Old 01-15-2014, 01:04 AM   #4
shawretti
LQ Newbie
 
Registered: Jan 2014
Posts: 3

Original Poster
Rep: Reputation: Disabled
Suricata inline work as IPS in NFQUEUE mode. Centos install guide is nicely written and simple.

We also downloaded and install simplewall from simplewallsoftware.

It is centos 5 based kickstart type ISO(i like one shot install process ).

Suricata inline mode is default and emerging threat rules we can enable or update using gui also add custom rules.

Interesting thing we found is that it can completely block non-http content.

Http Content filter policy rules for Ip, Port, Domains and File Patterns integrated to IPS.

Checking performance with simple dual core VM with 2GB ram and 2 ethernet card.

Not sure how it will perform as single NAT VM crowded with squid, Clamav gateway Antivirus, Openvpn, Blocklist and IPS inline.

working on pfsense VM soon will share my experience with you guys thanks.
 
Old 01-15-2014, 06:49 AM   #5
ericson007
Member
 
Registered: Sep 2004
Location: Japan
Distribution: CentOS 7.1
Posts: 656

Rep: Reputation: 121Reputation: 121
Sounds good so far! Hope it works out for you.

http://www.aldeid.com/wiki/Suricata-vs-snort

I just had a look at the link above. Maybe not the most up to date comparison, but interesting!

Last edited by ericson007; 01-15-2014 at 06:56 AM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
LXer: How To Set Up An IPS (Intrusion Prevention System) On Fedora 17 LXer Syndicated Linux News 0 10-15-2012 11:20 AM
Intrusion Prevention System priyadarshan Linux - Security 10 03-06-2009 02:47 PM
Intrusion Prevention System priyadarshan Linux - Security 4 02-20-2009 11:17 AM
Intrusion Prevention System priyadarshan Linux - Newbie 1 02-20-2009 05:12 AM


All times are GMT -5. The time now is 11:05 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration