Search squid archive

Re: Re: [Snort-users] Commercial Advanced Packet Sniffers, how do they do this? Application signatures?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Dimitri Syuoul wrote:
On Fri, Jan 22, 2010 at 2:42 PM, Richard Bejtlich <taosecurity@xxxxxxxxx> wrote:

[1] http://taosecurity.blogspot.com/2006/09/port-independent-protocol.html
[2] http://bro-ids.org/wiki/index.php/DynamicProtocolDetection



Interesting enough the  L7-filter and IPP2P projects seem to be dead.

The specific projects may or may not be dead. But there were people pushing support for those into the Linux kernel and iptables/netfilter tools last year. Those versions at least are still being maintained and fixed.


http://bro-ids.org/wiki/index.php/DynamicProtocolDetection is an
interesting concept but it appears to be general.. and doesnt seem to
be ready for production..


Dimitri

My personal experiences with Snort and Squid on the same gateway box is that with snort running Squid request/sec maximum limit is halved. As soon as snort is turned on the performance crunshes. Turn snort off again and things recover in seconds. Running snort on a separate box, chained and things are better. But still a minor dip in performance.

This with squid 3.1, IPv6, NAT, latest Debian snort, and kernels. I'm suspecting (on almost no evidence) that it may be inefficient handling by kernel, Snort or libpcap for the IPv6 sockets or double-NAT needed for interception with Squid.

Amos
--
Please be using
  Current Stable Squid 2.7.STABLE7 or 3.0.STABLE21
  Current Beta Squid 3.1.0.15

[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux