because i can't realize how fast can be snort in detecting bad trafic expecially on a busy gw.
Snort propaganda sez something about near-flawless detection on Gigabyte links, so.
During the last our, i saw the guardian do his job in blocking the trafic from a suspicoius server/ip that was sending me a virus but only after that the connection was already closed.
Detection isn't the same as blocking. I never did test Guardian for it's speed, but since it's a perl script I'm sure the interval it reads the log is tweakable.
Do i need more computing power?
HW/SW specs of the box?
Does the snort do some kind of buffering and does it analyze the packets?
Buffering in general I don't know, packet buffering yes, but only for fragments, and log buffering is a syslog/disk thing I suppose. Yes it does analyse packets, that's what makes it preferable over "dumb" portscan alerters like portsentry.
Wich other tools like snort + guardian are available to analyze and block suspicious ip and from one of you reading this post already tested with success?.
Check out the
LQ FAQ: Security references, theres a part on IDSes.
Can snort detect p2p traffic made from clients that access the internet through a proxy like kadza ?
It's not about port access, it's the signatures. KaZaA v2 is harder to stop because it scans for other accessable ports.
How can i avoid and control that kind of traffic ?
Have and enforce a policy that denies local(net) users to run P2P SW.
merry Christmas to everybody.
Merry Christmas to you too. Bit early this year :-]