[Snort-devel] BPF on the fly

Todd Lewis tlewis at ...120...
Mon Jan 8 14:45:31 EST 2001


That's a fascinating question.  Having just read through the pcap
source code, I was pretty disgusted to the point that I am contemplating
writing a raw BPF paengine for snort.  (Their callback logic is ingrained
throughout their entire code base; blech.)

If your fairy godmother were to deliver someone willing to write such
a thing, Jean-Philippe, how would you like the interface to appear?

--
Todd Lewis                                       tlewis at ...120...

  God grant me the courage not to give up what I think is right, even
  though I think it is hopeless.          - Admiral Chester W. Nimitz

On Mon, 8 Jan 2001, Jean-Philippe Grenier wrote:

> I was asking myself if it is possible to add BPF filters on the fly ? 
> 
> Like if someone trigger an alert, to not read anymore of his attacks. 
> 
> I've never used the BPF, but is it possible to filter multiple ips or
> will it be to overhelming because the list of ips to filter might be
> long.
> 
> 
> Thanks, Jean-Philippe 





More information about the Snort-devel mailing list