Using Snort for gateway selection ?

John Gillespie

Hi,

I have two ISPs set up on a pfSense box with policy based routing.

Is it possible to get Snort to mark/tag packets (that match a given category) and then use that packet marking in pfSense's firewall rules ?

For example, I'd like to identify bitorrent traffic and send it over a specific WAN link instead of the default one.

Regards,
John

jimp

By the time snort can recognize the connection, it has already established and is flowing over one WAN. It would be too late to make that decision to move it. At least for TCP. UDP may be more likely but still awkward and less likely to function.

It's not a snort limit, you can't use L7 classification of any kind for policy routing, only blocking. You can only policy route based on things that can be matched before a connection is made (read: packet attributes like IP address, port, etc).

John Gillespie

Thanks for your reply.

That makes perfect sense. Hadn't thought it through enough…

Happy Holidays,
John