snort-inline-users

[Snort-inline-users] limiting the number of packets seen by snort

[Justin A. <JA...@ua...>]

I purposely put snort_inline on an underpowered box to see how well it
would scale to 100mbit (not very well as it turns out:-)).

I was trying to work out ways to reduce the number of packets sent
through snort.  At first I came up with something like:

iptables -A forward -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A forward -j QUEUE

which works to limit the packets going through snort, but will obviously
cause snort to miss any attack that is broken up across many packets, or
any attack that needs to establish a session first(like logging in to an
anonymous ftp server).

In looking at the l7-filter stuff for linux, they have the following
feature:

"""
By default, l7-filter looks at the first 8 packets or 2kB, whichever is
smaller. You can alter the number of packets through
/proc/net/layer7_numpackets. i.e. "echo "12" >
/proc/net/layer7_numpackets". You can alter the maximum data size by
recompiling the kernel with a larger value for "Buffer size for
application layer data" (CONFIG_IP_NF_MATCH_LAYER7_MAXDATALEN).
"""

I was wondering if snort_inline could be made to work the same way.  I
think all that is needed is a hacked up ip_queue module, but it might be
more complicated than that.

Does anyone have any thoughts on this idea?

-- 
-- Justin Azoff
-- Network Performance Analyst

Re: [Snort-inline-users] limiting the number of packets seen by snort

[Will M. <wil...@gm...>]

List,

I have gotten two e-mails today about poor performance in
snort_inline.  Please send me (off list if you want) a sanitized
version of your snort_inline.conf file and your iptables rules.  Our
biggest bottleneck in snort_inline has been and probably always will
be ip_queue.  I'm using snort_inline on decent hardware to protect an
54mb link and I haven't ever had any complaints about speed.  So it is
hard for me to judge if it is something in the code that we need to
fix or if it is just a configuration issue.

Regards,

Will

On Thu, 07 Oct 2004 15:26:44 -0400, Justin Azoff
<ja...@ua...> wrote:
> I purposely put snort_inline on an underpowered box to see how well it
> would scale to 100mbit (not very well as it turns out:-)).
> 
> I was trying to work out ways to reduce the number of packets sent
> through snort.  At first I came up with something like:
> 
> iptables -A forward -m state --state ESTABLISHED,RELATED -j ACCEPT
> iptables -A forward -j QUEUE
> 
> which works to limit the packets going through snort, but will obviously
> cause snort to miss any attack that is broken up across many packets, or
> any attack that needs to establish a session first(like logging in to an
> anonymous ftp server).
> 
> In looking at the l7-filter stuff for linux, they have the following
> feature:
> 
> """
> By default, l7-filter looks at the first 8 packets or 2kB, whichever is
> smaller. You can alter the number of packets through
> /proc/net/layer7_numpackets. i.e. "echo "12" >
> /proc/net/layer7_numpackets". You can alter the maximum data size by
> recompiling the kernel with a larger value for "Buffer size for
> application layer data" (CONFIG_IP_NF_MATCH_LAYER7_MAXDATALEN).
> """
> 
> I was wondering if snort_inline could be made to work the same way.  I
> think all that is needed is a hacked up ip_queue module, but it might be
> more complicated than that.
> 
> Does anyone have any thoughts on this idea?
> 
> --
> -- Justin Azoff
> -- Network Performance Analyst
> 
> -------------------------------------------------------
> This SF.net email is sponsored by: IT Product Guide on ITManagersJournal
> Use IT products in your business? Tell us what you think of them. Give us
> Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more
> http://productguide.itmanagersjournal.com/guidepromo.tmpl
> _______________________________________________
> Snort-inline-users mailing list
> Sno...@li...
> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
>