[Snort-users] mark packets for further processing via iptables/tc ?
mkettler at ...4108...
Thu Dec 19 18:24:03 EST 2002
I noticed this question, which is a bit old, went unanswered, so here's an
In short, snort can do nothing like what you want, and it would be
impossible for anything vaguely resembling Snort to do so.
Snort is SLOW compared to the rate at which packets propagate through your
tcp stack. Tools like Guardian actually work *after* the offending packet
is long gone and already through your system. It then adds a block rule for
all packets from the source that triggered the alert. This does not block
the initial packet of the attack, but does block follow-up packets which
might be taking advantage of the exploit, or launching other attacks if the
first did not succeed. It takes a noticeable amount of time (milliseconds)
before the block rule gets added.
Also Snort operates in parallel with your IP stack, so while Snort is
analyzing a packet, it's already been passed off to your IP stack and is
working it's way through your IPTables rules. Heck, in reality the packet
has most likely already been passed through all the IPTables rules before
Snort is even notified the packet exists!
Even if snort were re-written to hold packets and analyze them before
passing them along it would likely degrade your network performance very
severely. This would also make snort highly OS and kernel version specific,
and probably necessitate that much of the code exist in-kernel as a part of
IPTables (or IPF for the BSD folks) itself, something Snort is not intended
Snort is not a firewall, nor will it ever be able to react at firewall
speed. That's the price of the complex string matching that snort is
capable of. It's an IDS, attempting to do complex post-event analysis of
packets to detect attempts at network intrusion.
At 11:55 AM 12/11/2002 +0100, Gerd Feiner wrote:
>I am new to this list and did a search on the archives prior to posting
>my question. However, I can't seem to find the solution to my problem.
>Let me explain what i want to achieve:
>I want (if somehow possible) use SNORT to investigate traffic on my
>internet-link for a very special purpose. I'd like to seek for
>P2P-traffic (kazaa, morpheus, edonkey, etc.) and then -mark- the
>matching packets so that I can shape them with the tc-command.
More information about the Snort-users