Skip to main content
Snort_inline n00b

























Victor Julien
To: mnajem
Hi!

mnajem wrote:
> hi,
>
> i am relatively new to IDS and IPS stuffs.
> I am confused with
>
> snort rules, say here:
> http://www.bleedingthreats.net/bleeding-all.rules
>
> and snort_inline rules.
>
> do they have difference? i mean do snort_inline use snort's rules so
> that the iptables will drop messages got via libipq?

I think the difference is just that the snort_inline rules have the
action set to 'drop' already. The Snort rules are just using 'alert'.

> currently i'm trying to do research on improving speed of IDS/IPS
> whether on signature checking or if possible in layer 7 inspection/deep
> inspection.
>
> in addition, i also confused whether l7 netfilter do the same job of
> snort_inline on inspection packets.

The l7 matching in netfilter and also the string matching in netfilter
are very limited compared to Snort. This is because snort does many more
things with the packets before inspecting them, such as stream
reassembly, decoding, normalizing, etc. All these things are not
possible in netfilter. The advantage of the netfilter modules however,
is speed. The speed of a in-kernel matching mechanism is much higher.
The disadvantage is that it's trivial to evade detection by methods like
session splicing or tcp fragmentation and all kinds of encoding.

Hope this helps,
Victor
Labels:

Comments

Post a Comment

Popular posts from this blog

Gue dengan S2 gue. Sronok banget!
15 comments
Read more

Vultr - another reliable alternative for SEA Virtual Private Server!

I have been using Vultr  as my recent VPS now, since it has just a nearby Data Center in Singapore (sadly, Malaysian VPS is always expensive.. so the best option is DC in Singapore - most of the time). It provides free trial credit for around USD5.. and +USD2 if you did a social media integration/sharing with Twitter. Try it now. Click Vultr
Post a Comment
Read more