[Snort-inline-users] kernel string matching and snort_inline

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Hi all -

I have released fwsnort-1.0 (http://www.cipherdyne.org/fwsnort), and
this release includes the ability to change a "default QUEUE" iptables
policy to "QUEUE only those packets that match a content or uricontent
signature keyword".  I have not done a lot of extensive testing yet,
but some preliminary performance results are encouraging.  For example,
the throughput increased by 57% using this strategy for the following
simplistic signature (that is just designed to get snort_inline to
inspect every TCP packet regardless of port number):

alert tcp any any -> any any (msg:"fwsnort download"; content: \
"fwsnort/download"; classtype:web-application-attack; sid:12325678;
rev:1;)

There are some tradeoffs of course (lack of stream reassembly and
inability to do application layer decoding for example), but in high
throughput scenarios these disadvantages may be worth it.  Snort_inline
can still run other complex tests (pcre, byte_test, etc.) over packets
that are queued to userspace.

Here is a blog posting that includes some preliminary results for the
signature above (using netperf for throughput testing):

http://michaelrash.blogspot.com/2007/04/kernel-string-matching-and-ips.html

Feedback is welcome.

--
Michael Rash
http://www.cipherdyne.org/
Key fingerprint = 53EA 13EA 472E 3771 894F  AC69 95D8 5D6B A742 839F