Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Country Block functionality in pre-processor

From: Joel Esler <jesler () sourcefire com>
Date: Tue, 1 Mar 2011 08:12:38 -0500
On Feb 28, 2011, at 9:40 PM, Mehma Sarja wrote:


Been running both country block and snort for the past few months and 
have one observation. Searched lists for similar discussion and did not 
find any. From what little I understand, the pre-processor rules are 
like a scouting party sent out by the military. Their job is to report 
on the approaching enemy.



Not really, although I could see where you would understand that.  Preprocessors are functionality of Snort, they 
normalize traffic (for the most part) for the passing of traffic through to the Detection Engine (Rules).  Some 
preprocessors have other functionality, for example, the SSL preprocessor with it's ability to ignore SSL sessions.  
However, for the most part the functionality of preprocessors is the former (above), normalization of traffic.  



I am seeing one of the countries blocked being marked by the 
pre-processor and if true, have this one suggestion. If user selected 
to-block countries are somehow implemented in the pre-processors and 
requests from those IPs are dropped, it will free up firewall resources.


But..  that's what a firewall and router's job /is/.


 
In my case, I am blocking all but 4 countries for my home setup. Imagine 
the resource savings if snort does not have to hassle with 98% of the 
IPs trying to come in.


This is why we suggest that IP blocks be done on an external machine such as a firewall or router.  These two 
statements, as I read them, are contradictory.

Now, there are going to be people that will read my email and think the opposite.  They want to block IPs at the Snort 
level instead of the firewall level.  This could be for many reasons:

        1) They aren't the firewall or network admin, and therefore don't always get their way as far as blocking IPs 
so        they do it themselves inside of Snort.
        2) They can't convince people the value of blocking individual IPs.
        3) <insert whatever else here>

My opinion, (and the opinion of many others) are, block IPs at the router or firewall, then let Snort deal with the 
stuff that makes it through that first line of defense.  It's easy to block the layer 3 and 4 stuff at the firewall or 
router.  Snort will deal with the rest of layer 5, 6, and 7.

Of course there are going to be those that disagree, and I welcome the discussion.

--
Joel Esler
jesler () sourcefire.com
http://blog.snort.org && http://blog.clamav.net


------------------------------------------------------------------------------
Free Software Download: Index, Search & Analyze Logs and other IT data in 
Real-Time with Splunk. Collect, index and harness all the fast moving IT data 
generated by your applications, servers and devices whether physical, virtual
or in the cloud. Deliver compliance at lower cost and gain new business 
insights. http://p.sf.net/sfu/splunk-dev2dev 
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Previous By Date Next
Previous By Thread Next

Current thread: