From owner-freebsd-questions@FreeBSD.ORG Tue Feb 14 18:56:17 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AC84816A420 for ; Tue, 14 Feb 2006 18:56:17 +0000 (GMT) (envelope-from drew@mykitchentable.net) Received: from relay02.roc.ny.frontiernet.net (relay02.roc.ny.frontiernet.net [66.133.182.165]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6F52543D6A for ; Tue, 14 Feb 2006 18:56:12 +0000 (GMT) (envelope-from drew@mykitchentable.net) Received: from blacklamb.mykitchentable.net (70-97-209-135.dsl2.elk.ca.frontiernet.net [70.97.209.135]) by relay02.roc.ny.frontiernet.net (Postfix) with ESMTP id CFAE0370E96 for ; Tue, 14 Feb 2006 18:56:11 +0000 (UTC) Received: from [192.168.1.30] (unknown [192.168.1.30]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by blacklamb.mykitchentable.net (Postfix) with ESMTP id B6BBA1648B7 for ; Tue, 14 Feb 2006 10:56:10 -0800 (PST) Message-ID: <43F227CA.60603@mykitchentable.net> Date: Tue, 14 Feb 2006 10:56:10 -0800 From: Drew Tomlinson User-Agent: Thunderbird 1.5 (Windows/20051201) MIME-Version: 1.0 To: FreeBSD Questions Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: by amavisd-new-2.3.2 (20050629) at filter07.roc.ny.frontiernet.net Subject: General Guidance Using Snort Inline X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 14 Feb 2006 18:56:17 -0000 I've installed snort 2.4.3 on a 6.0 machine and have it logging successfully to a MySQL database on another machine in my home network. I also have BASE installed on that machine to view the alerts. Now I'd like to move forward and do things like "block an IP address for 1 hour that has generated 5 alerts on the same rule in the past minute". I've Googled and read about snort inline. But what I've read suggests that snort works with ipfilter. I'm running ipfw2 for my firewall on the same box that's running snort. To use snort inline, do I have to covert my entire firewall to ipfilter? Or will snort use ipfilter to do its "inline" stuff and ipfw2 can continue to work on its own? I'm confused about how this should work and would appreciate any nudges to guides regarding this setup. Thanks, Drew -- Visit The Alchemist's Warehouse Magic Tricks, DVDs, Videos, Books, & More! http://www.alchemistswarehouse.com