[Snort-devel] snort_inline-1.9.1-2 release

Rob McMillen rvmcmil at ...1029...
Mon Mar 31 03:53:23 EST 2003


On 31 Mar 2003, pieter claassen wrote:
> Sterling work on Snort_inline. Just a few questions if I may:
> 1. Are there any plans to support Snort 2.x and if so, when will that
> come?

Yes. 

> 2. Whenever I activate Snort_inling in bridging mode, then portscans
> slow down to a trickle. Can you think of a reason for this other than
> latency in the kernel vs. user space copying of packets?

Have you tried doing test with the bridge code?  Someone sent me some test 
results a while back that showed the bridge to introduce some latency 
into the batter.  When they added snort_inline, it didn't increase it 
significantly.

> 3. Will the portscan preprocessor be integrated into snort_inline?( I
> guess that is a bit of an oxymoron because you can only identify a
> portscan by the number of packets that you have already let through in a
> time period)

Haven't tried the portscan preprocessor.  If it doesn't modify the packet 
payload, you should be able to use it.  However, it will not drop detected 
portscans, only alert.

> Lastly, I am interested in understanding the snort_inline code a bit
> better. Is there any information or advice as to how I can do that?

Take a look at inline.h and inline.c in the src directory.

Rob





More information about the Snort-devel mailing list