Re: [Snort-inline-users] kernel string matching and snort_inline

[Will M. <wil...@gm...>]

Nice work!

Regards,

Will
On 4/21/07, Michael Rash <mb...@ci...> wrote:
>
> Hi all -
>
> I have released fwsnort-1.0 (http://www.cipherdyne.org/fwsnort), and
> this release includes the ability to change a "default QUEUE" iptables
> policy to "QUEUE only those packets that match a content or uricontent
> signature keyword".  I have not done a lot of extensive testing yet,
> but some preliminary performance results are encouraging.  For example,
> the throughput increased by 57% using this strategy for the following
> simplistic signature (that is just designed to get snort_inline to
> inspect every TCP packet regardless of port number):
>
> alert tcp any any -> any any (msg:"fwsnort download"; content: \
> "fwsnort/download"; classtype:web-application-attack; sid:12325678;
> rev:1;)
>
> There are some tradeoffs of course (lack of stream reassembly and
> inability to do application layer decoding for example), but in high
> throughput scenarios these disadvantages may be worth it.  Snort_inline
> can still run other complex tests (pcre, byte_test, etc.) over packets
> that are queued to userspace.
>
> Here is a blog posting that includes some preliminary results for the
> signature above (using netperf for throughput testing):
>
>
> http://michaelrash.blogspot.com/2007/04/kernel-string-matching-and-ips.html
>
> Feedback is welcome.
>
> --
> Michael Rash
> http://www.cipherdyne.org/
> Key fingerprint = 53EA 13EA 472E 3771 894F  AC69 95D8 5D6B A742 839F
>
> -------------------------------------------------------------------------
> This SF.net email is sponsored by DB2 Express
> Download DB2 Express C - the FREE version of DB2 express and take
> control of your XML. No limits. Just data. Click to get it now.
> http://sourceforge.net/powerbar/db2/
> _______________________________________________
> Snort-inline-users mailing list
> Sno...@li...
> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
>