pfSense Support Subscription

Author Topic: How to use Snort for traffic shapping purposes?  (Read 150 times)

0 Members and 1 Guest are viewing this topic.

Offline FireBean

  • Newbie
  • *
  • Posts: 18
  • Karma: +1/-0
    • View Profile
How to use Snort for traffic shapping purposes?
« on: December 06, 2017, 10:04:32 pm »
Ever since Layer 7 was removed, it was recommend to use snort to help with application identification. I see how snort does this but I don't see how I can link SID to a traffic queue... And there is no guide that I can find that does this and searching forums is not granular enough to find what I'm looking to do.

Offline bmeeks

  • Hero Member
  • *****
  • Posts: 3159
  • Karma: +818/-0
    • View Profile
Re: How to use Snort for traffic shapping purposes?
« Reply #1 on: December 07, 2017, 08:40:21 am »
Ever since Layer 7 was removed, it was recommend to use snort to help with application identification. I see how snort does this but I don't see how I can link SID to a traffic queue... And there is no guide that I can find that does this and searching forums is not granular enough to find what I'm looking to do.

Snort cannot be used for any kind of traffic shaping.  That's not its function and it is not designed to understand queues.

Bill

Offline FireBean

  • Newbie
  • *
  • Posts: 18
  • Karma: +1/-0
    • View Profile
Re: How to use Snort for traffic shapping purposes?
« Reply #2 on: December 07, 2017, 12:02:09 pm »
Then why was it even suggested? There is no way to get Snort to tag traffic in a sense for the FIREWALL to drop the traffic in the propper queue?

Offline bmeeks

  • Hero Member
  • *****
  • Posts: 3159
  • Karma: +818/-0
    • View Profile
Re: How to use Snort for traffic shapping purposes?
« Reply #3 on: December 07, 2017, 03:06:47 pm »
Then why was it even suggested? There is no way to get Snort to tag traffic in a sense for the FIREWALL to drop the traffic in the propper queue?

No, not without rewriting the binary.  It's an IDS/IPS, not a traffic shaper.  The Level 7 inspecting part you saw in the blog post is about inspecting traffic against specific applications for alerting on it or blocking it, not for shaping it.  So the OpenAppID feature of Snort would allow it to identify and drop Facebook traffic or other social media apps, for example.

Bill
« Last Edit: December 08, 2017, 01:43:16 pm by bmeeks »