Dimitri Syuoul wrote:
On Fri, Jan 22, 2010 at 2:42 PM, Richard Bejtlich <taosecurity@xxxxxxxxx> wrote:
[1] http://taosecurity.blogspot.com/2006/09/port-independent-protocol.html
[2] http://bro-ids.org/wiki/index.php/DynamicProtocolDetection
Interesting enough the L7-filter and IPP2P projects seem to be dead.
The specific projects may or may not be dead. But there were people
pushing support for those into the Linux kernel and iptables/netfilter
tools last year. Those versions at least are still being maintained and
fixed.
http://bro-ids.org/wiki/index.php/DynamicProtocolDetection is an
interesting concept but it appears to be general.. and doesnt seem to
be ready for production..
Dimitri
My personal experiences with Snort and Squid on the same gateway box is
that with snort running Squid request/sec maximum limit is halved. As
soon as snort is turned on the performance crunshes. Turn snort off
again and things recover in seconds.
Running snort on a separate box, chained and things are better. But
still a minor dip in performance.
This with squid 3.1, IPv6, NAT, latest Debian snort, and kernels. I'm
suspecting (on almost no evidence) that it may be inefficient handling
by kernel, Snort or libpcap for the IPv6 sockets or double-NAT needed
for interception with Squid.
Amos
--
Please be using
Current Stable Squid 2.7.STABLE7 or 3.0.STABLE21
Current Beta Squid 3.1.0.15