Comment Re:Snort-Inline+IPTables+Scripts = Decent IPS (Score 1) 264
I think before you rubbish snort-inline you should understand what both it and similar products actually do.
Snort inline is not designed to update an IP tables FW with a rule to block all traffic from the attacking IP. Yes you are correct in stating that this could lead to unexpected DoS attacks from a savvy attacker.
Snortinline can take one of the following options when a "bad" packet enters the network.
- sDrop : Silently drop that single packet
- Drop : Drop the packet and alert of the attack
- Reject : Drop the packet and send a RST to both parties shutting down the TCP flow.
I am not saying that snortinline is without its problems (looking after multiple instances scattered across a network by hand roiling a load of bash/perl can suck), it however does a great job of doing exactly what it claims to do.
Snort inline is not designed to update an IP tables FW with a rule to block all traffic from the attacking IP. Yes you are correct in stating that this could lead to unexpected DoS attacks from a savvy attacker.
Snortinline can take one of the following options when a "bad" packet enters the network.
- sDrop : Silently drop that single packet
- Drop : Drop the packet and alert of the attack
- Reject : Drop the packet and send a RST to both parties shutting down the TCP flow.
I am not saying that snortinline is without its problems (looking after multiple instances scattered across a network by hand roiling a load of bash/perl can suck), it however does a great job of doing exactly what it claims to do.
