How to use Snort for traffic shapping purposes?
-
Ever since Layer 7 was removed, it was recommend to use snort to help with application identification. I see how snort does this but I don't see how I can link SID to a traffic queue… And there is no guide that I can find that does this and searching forums is not granular enough to find what I'm looking to do.
-
Ever since Layer 7 was removed, it was recommend to use snort to help with application identification. I see how snort does this but I don't see how I can link SID to a traffic queue… And there is no guide that I can find that does this and searching forums is not granular enough to find what I'm looking to do.
Snort cannot be used for any kind of traffic shaping. That's not its function and it is not designed to understand queues.
Bill
-
Then why was it even suggested? There is no way to get Snort to tag traffic in a sense for the FIREWALL to drop the traffic in the propper queue?
-
Then why was it even suggested? There is no way to get Snort to tag traffic in a sense for the FIREWALL to drop the traffic in the propper queue?
No, not without rewriting the binary. It's an IDS/IPS, not a traffic shaper. The Level 7 inspecting part you saw in the blog post is about inspecting traffic against specific applications for alerting on it or blocking it, not for shaping it. So the OpenAppID feature of Snort would allow it to identify and drop Facebook traffic or other social media apps, for example.
Bill