[Snort-devel] Idea/Thought.

tlewis at ...255... tlewis at ...255...
Fri Aug 17 18:00:15 EDT 2001


I some time ago contributed a framework called "packet acquisition
engines" which allowed plugging in different packet acquisition
mechanisms to snort.  Initial support included pcap, Linux Netfilter
and BSD divert sockets.  The internal interface included provision
for passing a per-packet firewall verdict back to the paengine, and
the modifications to snort included the addition of a new keyword,
"verdict", that allowed an action to be specified for each rule.

Other work precludes my continuing work on this project, but I would be
happy to assist anyone wishing to pick this work back up.  I think that
the best approach for snort would be to integrate hogwash as a module
under this interface, since paengine is much more general than hogwash,
but hogwash does something that no paengine does.

$0.02.  Good luck.

--
Todd Lewis
tlewis at ...255...

On Fri, 17 Aug 2001, Alex Jokela wrote:

> Greetings!
> 
> I've used snort for a while now (off and on) -- and i have always loved it.
> but recently, i realized it was missing one thing (at least in my opinion),
> and that was a decent way to block packets -- much like the way that
> portsentry does: using an external program (like ipchains, ipf, ipfw,
> iptables, etc...)
> 
> i know that in the contrib there is a script which will generate ipchain
> rules based on snort responses, but this is not what i am looking for.
> 
> so...not being able to find anything, i have started to modify sp_respond.c
> (and a header or two) to include support for external programs (like the
> ones mentioned above) to be executed, as well as, a way of appending to file
> (in the case of a system reboot) the rules that are generated.
> 
> ...more information to come...
> 
> constructive thoughts are welcome.
> 
> thanks.
> 
> 	alex jokela
> 
> 
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> http://lists.sourceforge.net/lists/listinfo/snort-devel
> 





More information about the Snort-devel mailing list