[Snort-devel] Multiple rule sets

Martin Roesch roesch at ...48...
Fri Feb 23 00:13:55 EST 2001


Being able to attach a detection engine/path to an interface is
something we're going to do in 2.0.  It'll be really handy for handling
things like disparate link layer types in the same machine, etc.  I'm
hoping to make pcap and the associated interface code just another
packet acquisition interface when the 2.0 code eventually ships, and
once we get things ironed out here a bit with 1.7.1 we'll address these
issues and figure out what 2.0 is going to look like in a lot more
detail.

    -Marty

Todd Lewis wrote:
> 
> On Sat, 17 Feb 2001, Fyodor wrote:
> 
> > On Fri, Feb 16, 2001 at 02:40:47PM -0700, default wrote:
> > > Since snort can now listen on multiple interfaces, has anyone though about
> > > having multiple rules sets, one for each interface?
> >
> >
> > The only platform where snort can listen on mutliple intefaces,
> > is linux for the moment. But from the internal point of view (:-))
> > it's hard to figure out which interface packet came from unless you
> > do some evil hack to obtain interfaces ip addresses/masks and routing
> > tables  and do matching/lookup on the fly.. if I am missing something,
> > let me know though :)
> 
> If I may suggest, it may be worth it to start thinking about these issues
> in a way that transcends pcap.  Already in my paengine release, one can
> use either pcap or netfilter to acquire packets, and with Matt George's
> paengine, you can use divert sockets under *BSD as well.  I fully intend
> to integrate this work into snort 2.0.
> 
> Pcap is exceptional in the fact that it grabs packets at the interface
> itself; for other mechanisms, packet acquisition may happen, e.g., at
> routing time, when a packet has either no interface association or two
> interface associations (source and destination), or somewhere in between,
> depending on how one looks at it.  There may be cases where these other
> mechanisms provide interface association, but not always or even most
> of the time.
> 
> I do not know how best to deal with the class of problems that this case
> represents.  I struggle with what to do with the pcap-specific features
> that are already in snort.  I do not have any roadmap or formula for how
> to deal with these issues, or any indication of how much pcap-specificity
> is just enough, and I am not trying to ram my opinion down anyone's
> throat here.  What I would like to see, however, is two things: 1)
> that others start thinking about these issues, so that when the time
> comes to hash all of this out, we can have a well-reasoned discussion
> that leads to a good solution, and 2) that we not gratuitously add any
> more pcap dependencies until we're able to have that discussion.
> 
> On Fri, 16 Feb 2001, default wrote:
> 
> > I just finished up a plugin so that you can activate a rule just on a single
> > interface (or !interface if you want).  For Example:
> >
> > alert tcp any 80 <> any any (interface: eth0; msg "Test Plugin")
> 
> All of that having been said, Jason, it looks like a cool hack that
> you did.  Even if it's not integrated, I am sure that no one would mind
> your posting the patch of your work.
> 
> --
> Todd Lewis                                       tlewis at ...120...
> 
>   God grant me the courage not to give up what I think is right, even
>   though I think it is hopeless.          - Admiral Chester W. Nimitz
> 
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> http://lists.sourceforge.net/lists/listinfo/snort-devel

--
Martin Roesch
roesch at ...48...
http://www.snort.org




More information about the Snort-devel mailing list