Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Control » Snort Suggestions (Suggestions for improving Snort in Kerio Control)
  •  
J_Warren

Messages: 3
Karma: 0
Send a private message to this user
I've been using Kerio Control for a long time, and I must say I have been generally very pleased with the product. Granted, it does have its faults, just like any other product (HTTP inspector instability, lack of IPv6 support), but I am very pleased with the inclusion of Snort.

I have a couple of issues that should be at least considered, though. They should be pretty easy to implement as well, since they aren't dramatic changes. I've been playing a lot with the distribution of Snort that comes with Kerio Control, and if I interpret things correctly, you are using nfq to handle packet capture. There is a bug in Snort (up until 2.9 IIRC in which the Unified2 logs are unparseable by Barnyard2 - it tends to throw a ton of "Not IPv4 Datagram!" error messages and discard all the packets. Hence, nothing can be logged to an external database for further analysis and reporting.

My suggestion as a stopgap (because perhaps compiling Snort 2.9 is problematic with all of the patches you've done? I'm not sure from looking at the source available from Kerio) is to just compile the snort you distribute with Kerio Control with MySQL support enabled as well. It wouldn't add any excess baggage to the memory footprint, per se, and give systems administrators a lot more flexibility in terms of logging and reporting of intrusions.

My second suggestion for Snort is in the snort.conf template file. You might want to consider moving to using "config detection: search-method ac-bnfa-q search-optimize" instead of "config detection: search-method lowmem". Lowmem is a much older method, and is lower performance than ac-bnfa (which is now the default these days). It does increase the memory footprint a bit, but also speeds up processing of traffic, which can make a noticeable impact on loaded networks.

P.S. And yes, another vote for IPv6 support. Where I am here in France, many ISPs now (and have for several years now) offered native, non-tunneled IPv6 support to clients. I know that retooling Kerio Control for IPv6 isn't exactly an easy task, but on the other hand, now that IPv6 Day has come and gone, it's becoming a very important issue.

EDIT: Support Ticket filed.

[Updated on: Fri, 17 June 2011 15:36]

Previous Topic: Kerio Control Environment
Next Topic: Snort and Netfilter
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Tue Sep 19 21:00:12 CEST 2017

Total time taken to generate the page: 0.00360 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.