[Snort-devel] BPF on the fly
tlewis at ...120...
Mon Jan 8 14:45:31 EST 2001
That's a fascinating question. Having just read through the pcap
source code, I was pretty disgusted to the point that I am contemplating
writing a raw BPF paengine for snort. (Their callback logic is ingrained
throughout their entire code base; blech.)
If your fairy godmother were to deliver someone willing to write such
a thing, Jean-Philippe, how would you like the interface to appear?
Todd Lewis tlewis at ...120...
God grant me the courage not to give up what I think is right, even
though I think it is hopeless. - Admiral Chester W. Nimitz
On Mon, 8 Jan 2001, Jean-Philippe Grenier wrote:
> I was asking myself if it is possible to add BPF filters on the fly ?
> Like if someone trigger an alert, to not read anymore of his attacks.
> I've never used the BPF, but is it possible to filter multiple ips or
> will it be to overhelming because the list of ips to filter might be
> Thanks, Jean-Philippe
More information about the Snort-devel