Re: [Snort-inline-users] Status of FreeBSD support?

[Nick R. <ni...@ro...>]

On Sat, 17 Apr 2004, Alex Dupre wrote:

> Richard Bejtlich wrote:
> 
> > Would you or anyone
> > else have a suggested set of ipfw rules to work with
> > Snort-inline?
> 
> There isn't a suggested set, it depends on your needs. The simplest
> solution is a rule that diverts all ip traffic :-)

	Because of the nature of divert in ipfw, it would be dangerous to 
	suggest a global ruleset that works for everyone.  However, in the 
	simplest form, you could always send inbound traffic to 
	snort_inline first before any further packet processing is done 
	and inspect outbound traffic last so as to not break NAT rules 
	in between.  For example:

	At the beginning of your ruleset put:

	  ipfw add 100 divert 8000 ip from any to any in via de0
	
	At the end of your ruleset put:

	  ipfw add 65000 divert 8000 ip from any to any out via de0
	

	You could also run multiple copies of snort_inline listening on 
	different divert sockets with different rulesets.  The reason to 
	do this is to distribute the load across multiple snort processes.
	This would be a good idea if you have a large diverse snort 
	ruleset.  

	For example, run 1 copy of snort_inline to inspect tcp port 
	80 traffic, 1 copy of snort_inline for port 21, etc.  Then use 
	ipfw divert rules to send the appropriate traffic to the different
	snort processes.

	This would also make good sense if you have multiple processors 
	and lots of memory.

	As Alex mentioned, discussion has started to work on a better 
	version of the *BSD support with PF.  This is somewhat reliant on 
	how quickly we can get PF to support something similar to IPQUEUEs 
	in Linux or divert sockets in FreeBSD.  Currently, PF only has 
	support through it's packet logging interface which would not be 
	sufficient, IMO.

-- 
Nick Rogness <ni...@ro...>
-
  How many people here have telekenetic powers? Raise my hand.
  				-Emo Philips