On Sat, 17 Apr 2004, Alex Dupre wrote:
> Richard Bejtlich wrote:
>
> > Would you or anyone
> > else have a suggested set of ipfw rules to work with
> > Snort-inline?
>
> There isn't a suggested set, it depends on your needs. The simplest
> solution is a rule that diverts all ip traffic :-)
Because of the nature of divert in ipfw, it would be dangerous to
suggest a global ruleset that works for everyone. However, in the
simplest form, you could always send inbound traffic to
snort_inline first before any further packet processing is done
and inspect outbound traffic last so as to not break NAT rules
in between. For example:
At the beginning of your ruleset put:
ipfw add 100 divert 8000 ip from any to any in via de0
At the end of your ruleset put:
ipfw add 65000 divert 8000 ip from any to any out via de0
You could also run multiple copies of snort_inline listening on
different divert sockets with different rulesets. The reason to
do this is to distribute the load across multiple snort processes.
This would be a good idea if you have a large diverse snort
ruleset.
For example, run 1 copy of snort_inline to inspect tcp port
80 traffic, 1 copy of snort_inline for port 21, etc. Then use
ipfw divert rules to send the appropriate traffic to the different
snort processes.
This would also make good sense if you have multiple processors
and lots of memory.
As Alex mentioned, discussion has started to work on a better
version of the *BSD support with PF. This is somewhat reliant on
how quickly we can get PF to support something similar to IPQUEUEs
in Linux or divert sockets in FreeBSD. Currently, PF only has
support through it's packet logging interface which would not be
sufficient, IMO.
--
Nick Rogness <ni...@ro...>
-
How many people here have telekenetic powers? Raise my hand.
-Emo Philips
|
