Menu
▾
▴
[Snort-inline-users] limiting the number of packets seen by snort
|
From: Justin A. <JA...@ua...> - 2004-10-07 19:26:51
|
I purposely put snort_inline on an underpowered box to see how well it would scale to 100mbit (not very well as it turns out:-)). I was trying to work out ways to reduce the number of packets sent through snort. At first I came up with something like: iptables -A forward -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A forward -j QUEUE which works to limit the packets going through snort, but will obviously cause snort to miss any attack that is broken up across many packets, or any attack that needs to establish a session first(like logging in to an anonymous ftp server). In looking at the l7-filter stuff for linux, they have the following feature: """ By default, l7-filter looks at the first 8 packets or 2kB, whichever is smaller. You can alter the number of packets through /proc/net/layer7_numpackets. i.e. "echo "12" > /proc/net/layer7_numpackets". You can alter the maximum data size by recompiling the kernel with a larger value for "Buffer size for application layer data" (CONFIG_IP_NF_MATCH_LAYER7_MAXDATALEN). """ I was wondering if snort_inline could be made to work the same way. I think all that is needed is a hacked up ip_queue module, but it might be more complicated than that. Does anyone have any thoughts on this idea? -- -- Justin Azoff -- Network Performance Analyst |
