[Snort-devel] BPF on the fly

Martin Roesch roesch at ...48...
Thu Jan 18 02:37:15 EST 2001


I think that it's actually possible to load a filter set on the fly, but
I can't really speak to the good or bad of the libpcap architecture. 
Having it written to something a little more high performance might be
nice though... :)

   -Marty

Todd Lewis wrote:
> 
> That's a fascinating question.  Having just read through the pcap
> source code, I was pretty disgusted to the point that I am contemplating
> writing a raw BPF paengine for snort.  (Their callback logic is ingrained
> throughout their entire code base; blech.)
> 
> If your fairy godmother were to deliver someone willing to write such
> a thing, Jean-Philippe, how would you like the interface to appear?
> 
> --
> Todd Lewis                                       tlewis at ...120...
> 
>   God grant me the courage not to give up what I think is right, even
>   though I think it is hopeless.          - Admiral Chester W. Nimitz
> 
> On Mon, 8 Jan 2001, Jean-Philippe Grenier wrote:
> 
> > I was asking myself if it is possible to add BPF filters on the fly ?
> >
> > Like if someone trigger an alert, to not read anymore of his attacks.
> >
> > I've never used the BPF, but is it possible to filter multiple ips or
> > will it be to overhelming because the list of ips to filter might be
> > long.
> >
> >
> > Thanks, Jean-Philippe
> 
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> http://lists.sourceforge.net/mailman/listinfo/snort-devel

--
Martin Roesch
roesch at ...48...
http://www.snort.org




More information about the Snort-devel mailing list