Using Snort with iptables,How to?

[dimsh]

Hi all,

I want to build an IPS (intrusion prevention system), i have read that snort in combination with iptables can build such system.

I have read about snort-inline and SnortSam, and I have installed snort and iptables on my system , only as IDS.

I need a guide and help building my IPS, and which is better snort-inline or SnortSam.

my point of view for an IPS is: " to block the particular IP for a period of time if snort rule is triggered at a specified priority" , what what i want to do , I am newbie to security and seek any help on this.


Thanks in advance.

[LinuxGeek]

I researched this topic a while back and didn't find many articles; however, this topic seems to be an author favorite bacause I found that many books have been written on this subject.

I did find this site that had a number of general network security articles:
http://www.findingfacts.com/L3/L3_1_17_19.php

[dimsh]

ues you are right,

I have found (as you may did) that iptables will be configured to the rule "QUEUE" and "modprobe ip_queue" should be used to allow this capability.

then Snort must be compiled with the "inline" option.

The interesting thing was running Snort with the "-Q" argument which I could not find in documentation !

I have tryed
"Snort -QDev -c /etc/snort/snort.conf"
and the iptables rule to QUEUE , the result was::

my website get down in 2 hours, and I did not know why, because iptables log is mixed with the system messages log , and it was better to return to a normal IDS functionality.

I hope I can find more realiable and more documented IDS, from a new organization who appreciate thier work more than thier pig ...