[Snort-devel] BPF on the fly
jgrenier at ...177...
Mon Jan 8 15:49:12 EST 2001
I expected the false alarm rate to be high, so I thought to only keep
the portscan rules.
What's the paengine your talking about. And yes I'm on Linux.
From: Todd Lewis [mailto:tlewis at ...120...]
Sent: Monday, January 08, 2001 3:35 PM
To: Jean-Philippe Grenier
Subject: RE: [Snort-devel] BPF on the fly
FWIW, we are already adding firewall rules on snort matches, and it's
a pretty painful experience; the false positive rate is just too high.
That is why I wrote my paengine modification to snort; this way, you
can discard individual packets without having to block the entire site.
Are you working on Linux?
Todd Lewis tlewis at ...120...
God grant me the courage not to give up what I think is right, even
though I think it is hopeless. - Admiral Chester W. Nimitz
On Mon, 8 Jan 2001, Jean-Philippe Grenier wrote:
> Well I've never been too deep in network programming, so I can't tell
> what kind of interface it would need. I didn't even played with libnet
> pcap yet.
> But I will be interrested in helping to develop such a thing if you want
> to work on this.
> Modifying the BPF filter on the fly would of been pretty interesting for
> me, since I want to add firewall rules when I get an alert. So if a guy
> generate multiple alerts, I either have to add multiple identical rules
> (denying the guy) or keep a list of the ips that I've already denied and
> such a list might be too huge to search in.
> -----Original Message-----
> From: Todd Lewis [ mailto:tlewis at ...120...
> <mailto:tlewis at ...120...> ]
> Sent: Monday, January 08, 2001 2:46 PM
> To: Jean-Philippe Grenier
> Cc: 'snort-devel at lists.sourceforge.net'
> Subject: Re: [Snort-devel] BPF on the fly
> That's a fascinating question. Having just read through the pcap
> source code, I was pretty disgusted to the point that I am contemplating
> writing a raw BPF paengine for snort. (Their callback logic is
> throughout their entire code base; blech.)
> If your fairy godmother were to deliver someone willing to write such
> a thing, Jean-Philippe, how would you like the interface to appear?
> Todd Lewis tlewis at ...120...
> God grant me the courage not to give up what I think is right, even
> though I think it is hopeless. - Admiral Chester W. Nimitz
> On Mon, 8 Jan 2001, Jean-Philippe Grenier wrote:
> > I was asking myself if it is possible to add BPF filters on the fly ?
> > Like if someone trigger an alert, to not read anymore of his attacks.
> > I've never used the BPF, but is it possible to filter multiple ips or
> > will it be to overhelming because the list of ips to filter might be
> > long.
> > Thanks, Jean-Philippe
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-devel