[Snort-users] mark packets for further processing via iptables/tc ?

Matt Kettler mkettler at ...4108...
Thu Dec 19 18:24:03 EST 2002


I noticed this question, which is a bit old, went unanswered, so here's an 
answer.

In short, snort can do nothing like what you want, and it would be 
impossible for anything vaguely resembling Snort to do so.

Snort is SLOW compared to the rate at which packets propagate through your 
tcp stack. Tools like Guardian actually work *after* the offending packet 
is long gone and already through your system. It then adds a block rule for 
all packets from the source that triggered the alert. This does not block 
the initial packet of the attack, but does block follow-up packets which 
might be taking advantage of the exploit, or launching other attacks if the 
first did not succeed. It takes a noticeable amount of time (milliseconds) 
before the block rule gets added.

Also Snort operates in parallel with your IP stack, so while Snort is 
analyzing a packet, it's already been passed off to your IP stack and is 
working it's way through your IPTables rules. Heck, in reality the packet 
has most likely already been passed through all the IPTables rules before 
Snort is even notified the packet exists!

Even if snort were re-written to hold packets and analyze them before 
passing them along it would likely degrade your network performance very 
severely. This would also make snort highly OS and kernel version specific, 
and probably necessitate that much of the code exist in-kernel as a part of 
IPTables (or IPF for the BSD folks) itself, something Snort is not intended 
to be.

Snort is not a firewall, nor will it ever be able to react at firewall 
speed. That's the price of the complex string matching that snort is 
capable of. It's an IDS, attempting to do complex post-event analysis of 
packets to detect attempts at network intrusion.


At 11:55 AM 12/11/2002 +0100, Gerd Feiner wrote:
>hi there,
>
>I am new to this list and did a search on the archives prior to posting
>my question.  However, I can't seem to find the solution to my problem.
>
>Let me explain what i want to achieve:
>
>I want (if somehow possible) use SNORT to investigate traffic on my
>internet-link for a very special purpose.  I'd like to seek for
>P2P-traffic (kazaa, morpheus, edonkey, etc.) and then -mark- the
>matching packets so that I can shape them with the tc-command.





More information about the Snort-users mailing list