[Snort-devel] Country Block functionality in pre-processor

Mehma Sarja mehmasarja at ...2499...
Mon Feb 28 21:40:03 EST 2011


Been running both country block and snort for the past few months and 
have one observation. Searched lists for similar discussion and did not 
find any. From what little I understand, the pre-processor rules are 
like a scouting party sent out by the military. Their job is to report 
on the approaching enemy.

I am seeing one of the countries blocked being marked by the 
pre-processor and if true, have this one suggestion. If user selected 
to-block countries are somehow implemented in the pre-processors and 
requests from those IPs are dropped, it will free up firewall resources. 
In my case, I am blocking all but 4 countries for my home setup. Imagine 
the resource savings if snort does not have to hassle with 98% of the 
IPs trying to come in.

Mehma




More information about the Snort-devel mailing list