[Snort-devel] Multiple rule sets
tlewis at ...255...
Sat Feb 17 17:53:08 EST 2001
On Sat, 17 Feb 2001, Fyodor wrote:
> On Fri, Feb 16, 2001 at 02:40:47PM -0700, default wrote:
> > Since snort can now listen on multiple interfaces, has anyone though about
> > having multiple rules sets, one for each interface?
> The only platform where snort can listen on mutliple intefaces,
> is linux for the moment. But from the internal point of view (:-))
> it's hard to figure out which interface packet came from unless you
> do some evil hack to obtain interfaces ip addresses/masks and routing
> tables and do matching/lookup on the fly.. if I am missing something,
> let me know though :)
If I may suggest, it may be worth it to start thinking about these issues
in a way that transcends pcap. Already in my paengine release, one can
use either pcap or netfilter to acquire packets, and with Matt George's
paengine, you can use divert sockets under *BSD as well. I fully intend
to integrate this work into snort 2.0.
Pcap is exceptional in the fact that it grabs packets at the interface
itself; for other mechanisms, packet acquisition may happen, e.g., at
routing time, when a packet has either no interface association or two
interface associations (source and destination), or somewhere in between,
depending on how one looks at it. There may be cases where these other
mechanisms provide interface association, but not always or even most
of the time.
I do not know how best to deal with the class of problems that this case
represents. I struggle with what to do with the pcap-specific features
that are already in snort. I do not have any roadmap or formula for how
to deal with these issues, or any indication of how much pcap-specificity
is just enough, and I am not trying to ram my opinion down anyone's
throat here. What I would like to see, however, is two things: 1)
that others start thinking about these issues, so that when the time
comes to hash all of this out, we can have a well-reasoned discussion
that leads to a good solution, and 2) that we not gratuitously add any
more pcap dependencies until we're able to have that discussion.
On Fri, 16 Feb 2001, default wrote:
> I just finished up a plugin so that you can activate a rule just on a single
> interface (or !interface if you want). For Example:
> alert tcp any 80 <> any any (interface: eth0; msg "Test Plugin")
All of that having been said, Jason, it looks like a cool hack that
you did. Even if it's not integrated, I am sure that no one would mind
your posting the patch of your work.
Todd Lewis tlewis at ...120...
God grant me the courage not to give up what I think is right, even
though I think it is hopeless. - Admiral Chester W. Nimitz
More information about the Snort-devel