Snort mailing list archives
Re: mark packets for further processing via iptables/tc ?
From: Matt Kettler <mkettler () evi-inc com>
Date: Thu, 19 Dec 2002 21:24:56 -0500
I noticed this question, which is a bit old, went unanswered, so here's an answer.
In short, snort can do nothing like what you want, and it would be impossible for anything vaguely resembling Snort to do so.
Snort is SLOW compared to the rate at which packets propagate through your tcp stack. Tools like Guardian actually work *after* the offending packet is long gone and already through your system. It then adds a block rule for all packets from the source that triggered the alert. This does not block the initial packet of the attack, but does block follow-up packets which might be taking advantage of the exploit, or launching other attacks if the first did not succeed. It takes a noticeable amount of time (milliseconds) before the block rule gets added.
Also Snort operates in parallel with your IP stack, so while Snort is analyzing a packet, it's already been passed off to your IP stack and is working it's way through your IPTables rules. Heck, in reality the packet has most likely already been passed through all the IPTables rules before Snort is even notified the packet exists!
Even if snort were re-written to hold packets and analyze them before passing them along it would likely degrade your network performance very severely. This would also make snort highly OS and kernel version specific, and probably necessitate that much of the code exist in-kernel as a part of IPTables (or IPF for the BSD folks) itself, something Snort is not intended to be.
Snort is not a firewall, nor will it ever be able to react at firewall speed. That's the price of the complex string matching that snort is capable of. It's an IDS, attempting to do complex post-event analysis of packets to detect attempts at network intrusion.
At 11:55 AM 12/11/2002 +0100, Gerd Feiner wrote:
hi there, I am new to this list and did a search on the archives prior to posting my question. However, I can't seem to find the solution to my problem. Let me explain what i want to achieve: I want (if somehow possible) use SNORT to investigate traffic on my internet-link for a very special purpose. I'd like to seek for P2P-traffic (kazaa, morpheus, edonkey, etc.) and then -mark- the matching packets so that I can shape them with the tc-command.
------------------------------------------------------- This SF.NET email is sponsored by: Geek Gift Procrastinating? Get the perfect geek gift now! Before the Holidays pass you by. T H I N K G E E K . C O M http://www.thinkgeek.com/sf/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- mark packets for further processing via iptables/tc ? Gerd Feiner (Dec 11)
- Re: mark packets for further processing via iptables/tc ? Matt Kettler (Dec 19)