Snort mailing list archives
Re: Country Block functionality in pre-processor
From: Joel Esler <jesler () sourcefire com>
Date: Tue, 1 Mar 2011 08:12:38 -0500
On Feb 28, 2011, at 9:40 PM, Mehma Sarja wrote:
Been running both country block and snort for the past few months and have one observation. Searched lists for similar discussion and did not find any. From what little I understand, the pre-processor rules are like a scouting party sent out by the military. Their job is to report on the approaching enemy.
Not really, although I could see where you would understand that. Preprocessors are functionality of Snort, they normalize traffic (for the most part) for the passing of traffic through to the Detection Engine (Rules). Some preprocessors have other functionality, for example, the SSL preprocessor with it's ability to ignore SSL sessions. However, for the most part the functionality of preprocessors is the former (above), normalization of traffic.
I am seeing one of the countries blocked being marked by the pre-processor and if true, have this one suggestion. If user selected to-block countries are somehow implemented in the pre-processors and requests from those IPs are dropped, it will free up firewall resources.
But.. that's what a firewall and router's job /is/.
In my case, I am blocking all but 4 countries for my home setup. Imagine the resource savings if snort does not have to hassle with 98% of the IPs trying to come in.
This is why we suggest that IP blocks be done on an external machine such as a firewall or router. These two statements, as I read them, are contradictory. Now, there are going to be people that will read my email and think the opposite. They want to block IPs at the Snort level instead of the firewall level. This could be for many reasons: 1) They aren't the firewall or network admin, and therefore don't always get their way as far as blocking IPs so they do it themselves inside of Snort. 2) They can't convince people the value of blocking individual IPs. 3) <insert whatever else here> My opinion, (and the opinion of many others) are, block IPs at the router or firewall, then let Snort deal with the stuff that makes it through that first line of defense. It's easy to block the layer 3 and 4 stuff at the firewall or router. Snort will deal with the rest of layer 5, 6, and 7. Of course there are going to be those that disagree, and I welcome the discussion. -- Joel Esler jesler () sourcefire.com http://blog.snort.org && http://blog.clamav.net ------------------------------------------------------------------------------ Free Software Download: Index, Search & Analyze Logs and other IT data in Real-Time with Splunk. Collect, index and harness all the fast moving IT data generated by your applications, servers and devices whether physical, virtual or in the cloud. Deliver compliance at lower cost and gain new business insights. http://p.sf.net/sfu/splunk-dev2dev _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel
Current thread:
- Country Block functionality in pre-processor Mehma Sarja (Feb 28)
- Re: Country Block functionality in pre-processor Joel Esler (Mar 01)