Menu
▾
▴
Re: [Snort-inline-users] limiting the number of packets seen by snort
|
From: Will M. <wil...@gm...> - 2004-10-07 20:08:47
|
List, I have gotten two e-mails today about poor performance in snort_inline. Please send me (off list if you want) a sanitized version of your snort_inline.conf file and your iptables rules. Our biggest bottleneck in snort_inline has been and probably always will be ip_queue. I'm using snort_inline on decent hardware to protect an 54mb link and I haven't ever had any complaints about speed. So it is hard for me to judge if it is something in the code that we need to fix or if it is just a configuration issue. Regards, Will On Thu, 07 Oct 2004 15:26:44 -0400, Justin Azoff <ja...@ua...> wrote: > I purposely put snort_inline on an underpowered box to see how well it > would scale to 100mbit (not very well as it turns out:-)). > > I was trying to work out ways to reduce the number of packets sent > through snort. At first I came up with something like: > > iptables -A forward -m state --state ESTABLISHED,RELATED -j ACCEPT > iptables -A forward -j QUEUE > > which works to limit the packets going through snort, but will obviously > cause snort to miss any attack that is broken up across many packets, or > any attack that needs to establish a session first(like logging in to an > anonymous ftp server). > > In looking at the l7-filter stuff for linux, they have the following > feature: > > """ > By default, l7-filter looks at the first 8 packets or 2kB, whichever is > smaller. You can alter the number of packets through > /proc/net/layer7_numpackets. i.e. "echo "12" > > /proc/net/layer7_numpackets". You can alter the maximum data size by > recompiling the kernel with a larger value for "Buffer size for > application layer data" (CONFIG_IP_NF_MATCH_LAYER7_MAXDATALEN). > """ > > I was wondering if snort_inline could be made to work the same way. I > think all that is needed is a hacked up ip_queue module, but it might be > more complicated than that. > > Does anyone have any thoughts on this idea? > > -- > -- Justin Azoff > -- Network Performance Analyst > > ------------------------------------------------------- > This SF.net email is sponsored by: IT Product Guide on ITManagersJournal > Use IT products in your business? Tell us what you think of them. Give us > Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more > http://productguide.itmanagersjournal.com/guidepromo.tmpl > _______________________________________________ > Snort-inline-users mailing list > Sno...@li... > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > |
