[Snort-inline-users] Detecting that an IP flow has passed all rules

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

I'm trying to find out whether it is possible (with snort-inline) to detect=
=20
that a particular IP flow (i.e. src/dst IP, UDP/TCP src/dst port tuple) has=
=20
"passed" all the available rules, in other words that none of the rules=20
match or will match a particular flow. The reason for this is that I want t=
o=20
have the ability to add a temporary iptables rule automatically to prevent =
a=20
known non-intrusion flows from going into the queue in the first place, to=
=20
improve network performance (by not having to copy packets from kernel to=
=20
user space) for flows that are determined to be "OK".
I've been looking through the source code and docs for a way to do this, bu=
t=20
to no avail. Is this possible at all with the snort rules architecture?=20
Essentially every rule would have to indicate whether it matches, doesn't=
=20
match, can't compute yet (e.g. not enough data received yet), or won't ever=
=20
match. At some point hopefully all rules exit the "can't compute yet" state=
,=20
and then if all of them either "don't match" or "won't match" one can say=
=20
that a flow has "passed" the intrusion prevention system.