Re: [squid-users] Re: [Snort-users] Commercial Advanced Packet Sniffers, how do they do this? Application signatures?

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Sat, 23 Jan 2010 11:49:30 +1300

Dimitri Syuoul wrote:
> On Fri, Jan 22, 2010 at 2:42 PM, Richard Bejtlich <taosecurity_at_gmail.com> wrote:
>
>> [1] http://taosecurity.blogspot.com/2006/09/port-independent-protocol.html
>> [2] http://bro-ids.org/wiki/index.php/DynamicProtocolDetection
>>
>
>
> Interesting enough the L7-filter and IPP2P projects seem to be dead.

The specific projects may or may not be dead. But there were people
pushing support for those into the Linux kernel and iptables/netfilter
tools last year. Those versions at least are still being maintained and
fixed.

>
> http://bro-ids.org/wiki/index.php/DynamicProtocolDetection is an
> interesting concept but it appears to be general.. and doesnt seem to
> be ready for production..
>
>
> Dimitri

My personal experiences with Snort and Squid on the same gateway box is
that with snort running Squid request/sec maximum limit is halved. As
soon as snort is turned on the performance crunshes. Turn snort off
again and things recover in seconds.
Running snort on a separate box, chained and things are better. But
still a minor dip in performance.

This with squid 3.1, IPv6, NAT, latest Debian snort, and kernels. I'm
suspecting (on almost no evidence) that it may be inefficient handling
by kernel, Snort or libpcap for the IPv6 sockets or double-NAT needed
for interception with Squid.

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE7 or 3.0.STABLE21
   Current Beta Squid 3.1.0.15
Received on Fri Jan 22 2010 - 22:49:40 MST

This archive was generated by hypermail 2.2.0 : Sat Jan 23 2010 - 12:00:05 MST