Snort_inline n00b

























Victor Julien
To: mnajem
Hi!

mnajem wrote:
> hi,
>
> i am relatively new to IDS and IPS stuffs.
> I am confused with
>
> snort rules, say here:
> http://www.bleedingthreats.net/bleeding-all.rules
>
> and snort_inline rules.
>
> do they have difference? i mean do snort_inline use snort's rules so
> that the iptables will drop messages got via libipq?

I think the difference is just that the snort_inline rules have the
action set to 'drop' already. The Snort rules are just using 'alert'.

> currently i'm trying to do research on improving speed of IDS/IPS
> whether on signature checking or if possible in layer 7 inspection/deep
> inspection.
>
> in addition, i also confused whether l7 netfilter do the same job of
> snort_inline on inspection packets.

The l7 matching in netfilter and also the string matching in netfilter
are very limited compared to Snort. This is because snort does many more
things with the packets before inspecting them, such as stream
reassembly, decoding, normalizing, etc. All these things are not
possible in netfilter. The advantage of the netfilter modules however,
is speed. The speed of a in-kernel matching mechanism is much higher.
The disadvantage is that it's trivial to evade detection by methods like
session splicing or tcp fragmentation and all kinds of encoding.

Hope this helps,
Victor

Comments

Popular posts from this blog

Panduan Bas Ekspres Kuala Lumpur (TBS) - Skudai

Cara Renew Passport Pembantu Rumah di Kedutaan Indonesia 2015