snort-inline-users

[Snort-inline-users] kernel string matching and snort_inline

[Michael R. <mb...@ci...>]

Hi all -

I have released fwsnort-1.0 (http://www.cipherdyne.org/fwsnort), and
this release includes the ability to change a "default QUEUE" iptables
policy to "QUEUE only those packets that match a content or uricontent
signature keyword".  I have not done a lot of extensive testing yet,
but some preliminary performance results are encouraging.  For example,
the throughput increased by 57% using this strategy for the following
simplistic signature (that is just designed to get snort_inline to
inspect every TCP packet regardless of port number):

alert tcp any any -> any any (msg:"fwsnort download"; content: \
"fwsnort/download"; classtype:web-application-attack; sid:12325678;
rev:1;)

There are some tradeoffs of course (lack of stream reassembly and
inability to do application layer decoding for example), but in high
throughput scenarios these disadvantages may be worth it.  Snort_inline
can still run other complex tests (pcre, byte_test, etc.) over packets
that are queued to userspace.

Here is a blog posting that includes some preliminary results for the
signature above (using netperf for throughput testing):

http://michaelrash.blogspot.com/2007/04/kernel-string-matching-and-ips.html

Feedback is welcome.

--
Michael Rash
http://www.cipherdyne.org/
Key fingerprint = 53EA 13EA 472E 3771 894F  AC69 95D8 5D6B A742 839F

Re: [Snort-inline-users] kernel string matching and snort_inline

[Will M. <wil...@gm...>]

Nice work!

Regards,

Will
On 4/21/07, Michael Rash <mb...@ci...> wrote:
>
> Hi all -
>
> I have released fwsnort-1.0 (http://www.cipherdyne.org/fwsnort), and
> this release includes the ability to change a "default QUEUE" iptables
> policy to "QUEUE only those packets that match a content or uricontent
> signature keyword".  I have not done a lot of extensive testing yet,
> but some preliminary performance results are encouraging.  For example,
> the throughput increased by 57% using this strategy for the following
> simplistic signature (that is just designed to get snort_inline to
> inspect every TCP packet regardless of port number):
>
> alert tcp any any -> any any (msg:"fwsnort download"; content: \
> "fwsnort/download"; classtype:web-application-attack; sid:12325678;
> rev:1;)
>
> There are some tradeoffs of course (lack of stream reassembly and
> inability to do application layer decoding for example), but in high
> throughput scenarios these disadvantages may be worth it.  Snort_inline
> can still run other complex tests (pcre, byte_test, etc.) over packets
> that are queued to userspace.
>
> Here is a blog posting that includes some preliminary results for the
> signature above (using netperf for throughput testing):
>
>
> http://michaelrash.blogspot.com/2007/04/kernel-string-matching-and-ips.html
>
> Feedback is welcome.
>
> --
> Michael Rash
> http://www.cipherdyne.org/
> Key fingerprint = 53EA 13EA 472E 3771 894F  AC69 95D8 5D6B A742 839F
>
> -------------------------------------------------------------------------
> This SF.net email is sponsored by DB2 Express
> Download DB2 Express C - the FREE version of DB2 express and take
> control of your XML. No limits. Just data. Click to get it now.
> http://sourceforge.net/powerbar/db2/
> _______________________________________________
> Snort-inline-users mailing list
> Sno...@li...
> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
>