From: Bert v. L. <ber...@gm...> - 2005-05-24 09:31:05
|
I'm trying to find out whether it is possible (with snort-inline) to detect= =20 that a particular IP flow (i.e. src/dst IP, UDP/TCP src/dst port tuple) has= =20 "passed" all the available rules, in other words that none of the rules=20 match or will match a particular flow. The reason for this is that I want t= o=20 have the ability to add a temporary iptables rule automatically to prevent = a=20 known non-intrusion flows from going into the queue in the first place, to= =20 improve network performance (by not having to copy packets from kernel to= =20 user space) for flows that are determined to be "OK". I've been looking through the source code and docs for a way to do this, bu= t=20 to no avail. Is this possible at all with the snort rules architecture?=20 Essentially every rule would have to indicate whether it matches, doesn't= =20 match, can't compute yet (e.g. not enough data received yet), or won't ever= =20 match. At some point hopefully all rules exit the "can't compute yet" state= ,=20 and then if all of them either "don't match" or "won't match" one can say= =20 that a flow has "passed" the intrusion prevention system. |