[Emerging-Sigs] Potential BPF File Limitations?

Joel Esler jesler at sourcefire.com
Thu Oct 13 15:56:27 EDT 2011


Replying to my own email --

Before anyone asks, Yes, we have more plans for this in future releases.  

J

On Oct 13, 2011, at 3:55 PM, Joel Esler wrote:

> Blacklist -- If you are inline, will drop.
> Whitelist -- will not pass the traffic from the IPs into the detection engine.  Essentially bypassing all inspection.
> 
> --
> Joel Esler
> Senior Research Engineer, VRT
> OpenSource Community Manager
> Sourcefire
> 
> 
> On Oct 13, 2011, at 1:00 PM, Korodev wrote:
> 
>> From what I've read, the new reputation preprocessors SF has
>> introduced will fire off an event when it sees a whitelisted or
>> blacklisted IP, but I'm unclear as to what happens after that. Is
>> Snort done with the packet at that point, or does it continue on
>> through rule inspection?
>> 
>> \\korodev
>> 
>> 
>> 
>> On Thu, Oct 13, 2011 at 11:10 AM, Martin Holste <mcholste at gmail.com> wrote:
>>> Snort 2.9.1.1 introduced the socket you can write to which will
>>> dynamically change the black and whitelists, which looks like it will
>>> help you (http://manual.snort.org/node16.html#SECTION003219000000000000000).
>>> What is unclear is whether or not a whitelist means you will not
>>> alert on that traffic or not.  Joel, can you clarify?
>>> 
>>> On Thu, Oct 13, 2011 at 8:54 AM, Korodev <korodev at gmail.com> wrote:
>>>> I'm in a situation where I need to efficiently tell Snort to ignore a
>>>> large dynamic list of IPs similar to a whitelist scenario. I'm
>>>> currently using BPF filters in a file, but after seeing Eoin's RBN
>>>> trickery, I was wondering if there might be any performance
>>>> differences in building these as ipvars and negating then from my
>>>> external ipvar.
>>>> 
>>>> I'm thinking that BPF filters are still probably the best route here,
>>>> since processing occurs much earlier in the process, but I'm worried
>>>> about how it will scale as the BPF file grows. Should I be worried
>>>> about this?
>>>> 
>>>> \\korodev
>>>> _______________________________________________
>>>> Emerging-sigs mailing list
>>>> Emerging-sigs at emergingthreats.net
>>>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>>> 
>>>> Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreatspro.com
>>>> The ONLY place to get complete premium rulesets for Snort 2.4.0 through Current!
>>>> 
>>> 
>> _______________________________________________
>> Emerging-sigs mailing list
>> Emerging-sigs at emergingthreats.net
>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>> 
>> Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreatspro.com
>> The ONLY place to get complete premium rulesets for Snort 2.4.0 through Current!
> 



More information about the Emerging-sigs mailing list