General Guidance Using Snort Inline

Drew Tomlinson drew at
Tue Feb 14 10:56:17 PST 2006

I've installed snort 2.4.3 on a 6.0 machine and have it logging 
successfully to a MySQL database on another machine in my home network.  
I also have BASE installed on that machine to view the alerts.

Now I'd like to move forward and do things like "block an IP address for 
1 hour that has generated 5 alerts on the same rule in the past 
minute".  I've Googled and read about snort inline.  But what I've read 
suggests that snort works with ipfilter.  I'm running ipfw2 for my 
firewall on the same box that's running snort.  To use snort inline, do 
I have to covert my entire firewall to ipfilter?  Or will snort use 
ipfilter to do its "inline" stuff and ipfw2 can continue to work on its own?

I'm confused about how this should work and would appreciate any nudges 
to guides regarding this setup.



Visit The Alchemist's Warehouse
Magic Tricks, DVDs, Videos, Books, & More!

More information about the freebsd-questions mailing list