Snort_inline: running Snort_inline

No, it’s not released. But it wil be soon… really!

William has done most of the hard work of porting our Snort_inline patch from 2.4.5 to 2.6. I have mostly been working on improving the stream4inline modification. I have written about this before. Like the stream4inline modification in Snort_inline 2.4.5 it scans the stream in a sliding window, making it possible to drop an attack detected in the reassembled stream. The new code does the same but is much faster, at the cost of higher memory usage.

Another interesting feature is that it keeps track of the number of sequence holes there are in a stream, and it can force a stream to get back in order. This limit can be enforced by the number of out-of-order packets and bytes, and also by the number of simultanious sequence number holes. Inspired by the paper by Sarang Dharmapurikar and Vern Paxson.

Last but not least it adds support for window scaling to stream4. Since window scaling adds the possibility to have window sizes of up a gigabyte, I’ve added a normalizing function as well, that can force all streams to use a configurable maximum wscale setting.

But it is running on my gateway now, which is also the gateway leading to this blog, so if it is unavailable to you, you’ve hit a bug πŸ˜‰

2 thoughts on “Snort_inline: running Snort_inline

  1. Since Snort proper has inline support, perhaps a brief list of things that differ in Snort_Inline would be beneficial to those deciding whether to use Snort proper, or Snort_Inline.

  2. Jason, I was going to say: read the Snort inline site, but then I remembered it is not mentioned there πŸ˜‰

    Ok, these are some of the points that improved over mainline Snort:
    – support for the new linux/netfilter queue’ing method
    – bait and switch preprocessor
    – stickydrop preprocessor
    – clamav preprocessor
    – improved stream4 for inline use
    – improved version of reject action
    – fixes for FreeBSD
    – removal of dependency on libnet, using libdnet instead

    There might be more that I can’t remember right now, but I think these are the most important.

Comments are closed.