[Snort-devel] Country Block functionality in pre-processor

Joel Esler jesler at ...402...
Tue Mar 1 08:12:38 EST 2011

On Feb 28, 2011, at 9:40 PM, Mehma Sarja wrote:

> Been running both country block and snort for the past few months and 
> have one observation. Searched lists for similar discussion and did not 
> find any. From what little I understand, the pre-processor rules are 
> like a scouting party sent out by the military. Their job is to report 
> on the approaching enemy.

Not really, although I could see where you would understand that.  Preprocessors are functionality of Snort, they normalize traffic (for the most part) for the passing of traffic through to the Detection Engine (Rules).  Some preprocessors have other functionality, for example, the SSL preprocessor with it's ability to ignore SSL sessions.  However, for the most part the functionality of preprocessors is the former (above), normalization of traffic.  

> I am seeing one of the countries blocked being marked by the 
> pre-processor and if true, have this one suggestion. If user selected 
> to-block countries are somehow implemented in the pre-processors and 
> requests from those IPs are dropped, it will free up firewall resources.

But..  that's what a firewall and router's job /is/.

> In my case, I am blocking all but 4 countries for my home setup. Imagine 
> the resource savings if snort does not have to hassle with 98% of the 
> IPs trying to come in.

This is why we suggest that IP blocks be done on an external machine such as a firewall or router.  These two statements, as I read them, are contradictory.

Now, there are going to be people that will read my email and think the opposite.  They want to block IPs at the Snort level instead of the firewall level.  This could be for many reasons:

	1) They aren't the firewall or network admin, and therefore don't always get their way as far as blocking IPs so 	they do it themselves inside of Snort.
	2) They can't convince people the value of blocking individual IPs.
	3) <insert whatever else here>

My opinion, (and the opinion of many others) are, block IPs at the router or firewall, then let Snort deal with the stuff that makes it through that first line of defense.  It's easy to block the layer 3 and 4 stuff at the firewall or router.  Snort will deal with the rest of layer 5, 6, and 7.

Of course there are going to be those that disagree, and I welcome the discussion.

Joel Esler
jesler () sourcefire.com
http://blog.snort.org && http://blog.clamav.net

More information about the Snort-devel mailing list