Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: mark packets for further processing via iptables/tc ?

From: Matt Kettler <mkettler () evi-inc com>
Date: Thu, 19 Dec 2002 21:24:56 -0500
I noticed this question, which is a bit old, went unanswered, so here's an answer.
In short, snort can do nothing like what you want, and it would be impossible for anything vaguely resembling Snort to do so.
Snort is SLOW compared to the rate at which packets propagate through your tcp stack. Tools like Guardian actually work *after* the offending packet is long gone and already through your system. It then adds a block rule for all packets from the source that triggered the alert. This does not block the initial packet of the attack, but does block follow-up packets which might be taking advantage of the exploit, or launching other attacks if the first did not succeed. It takes a noticeable amount of time (milliseconds) before the block rule gets added.
Also Snort operates in parallel with your IP stack, so while Snort is analyzing a packet, it's already been passed off to your IP stack and is working it's way through your IPTables rules. Heck, in reality the packet has most likely already been passed through all the IPTables rules before Snort is even notified the packet exists!
Even if snort were re-written to hold packets and analyze them before passing them along it would likely degrade your network performance very severely. This would also make snort highly OS and kernel version specific, and probably necessitate that much of the code exist in-kernel as a part of IPTables (or IPF for the BSD folks) itself, something Snort is not intended to be.
Snort is not a firewall, nor will it ever be able to react at firewall speed. That's the price of the complex string matching that snort is capable of. It's an IDS, attempting to do complex post-event analysis of packets to detect attempts at network intrusion. 


At 11:55 AM 12/11/2002 +0100, Gerd Feiner wrote:

hi there,

I am new to this list and did a search on the archives prior to posting
my question.  However, I can't seem to find the solution to my problem.

Let me explain what i want to achieve:

I want (if somehow possible) use SNORT to investigate traffic on my
internet-link for a very special purpose.  I'd like to seek for
P2P-traffic (kazaa, morpheus, edonkey, etc.) and then -mark- the
matching packets so that I can shape them with the tc-command.




-------------------------------------------------------
This SF.NET email is sponsored by: Geek Gift Procrastinating?
Get the perfect geek gift now!  Before the Holidays pass you by.
T H I N K G E E K . C O M      http://www.thinkgeek.com/sf/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: