[Snort-devel] BPF on the fly

Jean-Philippe Grenier jgrenier at ...177...
Mon Jan 8 15:49:12 EST 2001


I expected the false alarm rate to be high, so I thought to only keep 
the portscan rules.

What's the paengine your talking about. And yes I'm on Linux. 


Jean-Philippe

-----Original Message-----
From: Todd Lewis [mailto:tlewis at ...120...]
Sent: Monday, January 08, 2001 3:35 PM
To: Jean-Philippe Grenier
Subject: RE: [Snort-devel] BPF on the fly


FWIW, we are already adding firewall rules on snort matches, and it's
a pretty painful experience; the false positive rate is just too high.
That is why I wrote my paengine modification to snort; this way, you
can discard individual packets without having to block the entire site.

Are you working on Linux?

--
Todd Lewis                                       tlewis at ...120...

  God grant me the courage not to give up what I think is right, even
  though I think it is hopeless.          - Admiral Chester W. Nimitz

On Mon, 8 Jan 2001, Jean-Philippe Grenier wrote:

> Well I've never been too deep in network programming, so I can't tell
> you 
> what kind of interface it would need. I didn't even played with libnet
> or 
> pcap yet. 
> 
> But I will be interrested in helping to develop such a thing if you want
> 
> to work on this. 
> 
> Modifying the BPF filter on the fly would of been pretty interesting for
> 
> me, since I want to add firewall rules when I get an alert. So if a guy 
> generate multiple alerts, I either have to add multiple identical rules 
> (denying the guy) or keep a list of the ips that I've already denied and
> 
> such a list might be too huge to search in. 
> 
> 
> Jean-Philippe 
> 
> -----Original Message----- 
> From: Todd Lewis [ mailto:tlewis at ...120...
> <mailto:tlewis at ...120...> ] 
> Sent: Monday, January 08, 2001 2:46 PM 
> To: Jean-Philippe Grenier 
> Cc: 'snort-devel at lists.sourceforge.net' 
> Subject: Re: [Snort-devel] BPF on the fly 
> 
> 
> That's a fascinating question.  Having just read through the pcap 
> source code, I was pretty disgusted to the point that I am contemplating
> 
> writing a raw BPF paengine for snort.  (Their callback logic is
> ingrained 
> throughout their entire code base; blech.) 
> 
> If your fairy godmother were to deliver someone willing to write such 
> a thing, Jean-Philippe, how would you like the interface to appear? 
> 
> -- 
> Todd Lewis                                       tlewis at ...120... 
> 
>   God grant me the courage not to give up what I think is right, even 
>   though I think it is hopeless.          - Admiral Chester W. Nimitz 
> 
> On Mon, 8 Jan 2001, Jean-Philippe Grenier wrote: 
> 
> > I was asking myself if it is possible to add BPF filters on the fly ? 
> > 
> > Like if someone trigger an alert, to not read anymore of his attacks. 
> > 
> > I've never used the BPF, but is it possible to filter multiple ips or 
> > will it be to overhelming because the list of ips to filter might be 
> > long. 
> > 
> > 
> > Thanks, Jean-Philippe 
> 
> 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20010108/9127b418/attachment.html>


More information about the Snort-devel mailing list