Re: [Snort-inline-users] Detecting that an IP flow has passed all rules

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

>Is there perhaps a kind of IP_QUEUE mmap solution which will save cpu
by not >having to actually copy the packet from kernel to userspace?
(e.g. similar to >mmap pcap where ring buffers in the kernel are
mapped to userspace directly)

hmmmm, not currently.  You want to write one?

Regards,

Will

On 5/25/05, Bert van Leeuwen <ber...@gm...> wrote:
> Perhaps it is not possible with snort-inline, that is what I am trying to
> determine. I was hoping the "per-flow" rules would somehow be able to tur=
n
> off after a while, e.g. after n bytes of content had been seen etc., but =
I
> guess there will always be many "per packet" rules checking for things li=
ke
> illegal IP fragments and IP header weirdness etc.=20
>=20
> I was not considering using custom signatures or any other customised
> solution. The more I think about this, what I wanted to achieve doesn't
> sound possible, at least not with snort, and perhaps not at all.
>=20
> Is there perhaps a kind of IP_QUEUE mmap solution which will save cpu by =
not
> having to actually copy the packet from kernel to userspace? (e.g. simila=
r
> to mmap pcap where ring buffers in the kernel are mapped to userspace
> directly)
>=20
> Roland Turner said:=20
>=20
> > I'm not sure that I understand how this is possible. The fact that the
> > first n packets of a flow don't match any signatures does not mean that=
 no
> > subsequent packets will.
> >=20
> > Do you have a specific situation in mind? (Custom signatures perhaps?)
> >=20
> >=20
> > - Raz
> >=20
>=20
>