Snort mailing list archives
Re: block connections in IPS
From: Matt Kettler <mkettler () evi-inc com>
Date: Fri, 03 Oct 2003 13:57:28 -0400
At 01:51 AM 10/3/2003, Ravi Kumar wrote:
Coming to my query,Assume snort_inline integrated with any stateful packet inspection firewall. Firewall here consumes some processing time in hashing and maintaining associations etc., and again snort_inline eats up some more. But they give a good result whether to drop or accept. In this case how can we reduce even small processing time!!Any comments,
first, inline-snort doesn't integrate with just any stateful firewall, it integrates only with the linux kernel's firewall (which is stateful if you use iptables)
There's not much you can do. You can gain some speed by carefully tuning your snort ruleset to contain a minimal set of rules, and eliminate ones that are extraneous.
To some degree, added processing time is an unavoidable consequence of using an IPS. That's why not every firewall has an IPS function built in. If an IPS could be done without added overhead all firewalls would have IPS functionality by default.
You can also speed delivery time, at a cost of reduced security, by using a pseudo-ips such as Snortsam. Snortsam adds the dynamic-blocking benefit of an IPS, but is not an in-line system. However, the tradeoff here is that snortsam is slightly less than realtime. It won't actually block the offending packet, but will reconfigure the firewall to block packets from that IP sometime shortly after the attack is detected. This leaves a small window in time where packets can proceed, but it's arguably more secure than a firewall alone because it makes the window of opportunity significantly smaller.
------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- What are the differences between and IPS and IDS? Chhabria, Kavita - Apogent (Oct 01)
- Re: What are the differences between and IPS and IDS? twig les (Oct 01)
- Message not available
- Re: What are the differences between and IPS and IDS? Matt Kettler (Oct 01)
- Re: What are the differences between and IPS and IDS? Ravi Kumar (Oct 01)
- block connections in IPS Ravi Kumar (Oct 01)
- Re: block connections in IPS Geoff (Oct 01)
- RE: block connections in IPS Michael Steele (Oct 02)
- Re: block connections in IPS Ravi Kumar (Oct 02)
- Re: block connections in IPS Geoff (Oct 02)
- Re: block connections in IPS Ravi Kumar (Oct 02)
- Re: block connections in IPS Matt Kettler (Oct 03)
- Re: What are the differences between and IPS and IDS? Matt Kettler (Oct 01)
- <Possible follow-ups>
- Re: What are the differences between and IPS and IDS? Ganu Skop (Oct 04)