Snort_inline with DROP rules sent to iptables are really a good defense mechanism...
I'm using them in production environments...
BUT? there is always a *but* in security :)
But...of course there will always be false positives (behaviors considered BAD actions)...
for example using Snort with the Inline patch and all the default rules I was falling in the following trouble
I was just doing new things with Apache and Glassfish, and mod_jk, resetting sometimes the connections
from firefox to my server with the STOP loading button, and after this the server was not responding anymore...
well, at least on port 80:)
watching at the Snort logs I've found this:
as you can see there are Snort alerts for just these things...
So i'm asking to myself, more and more, if inline mode is effective a good solution in production...
Well maybe tweaking a bit the rules of Snort yes, can be...
I will continue my studies about it;)
No comments:
Post a Comment