[Snort-devel] spp_sicmple

Chris Green cmg at ...402...
Wed Jun 26 17:59:01 EDT 2002


Andreas Östling <andreaso at ...387...> writes:

> Hello,
>
> Disclaimer:
> This program should probably not be taken too seriously.
> It's not really finished and it was mostly written to try to learn how to
> write a Snort preprocessor, and also to learn some more C. It's not ready
> for production use yet (and perhaps never will be?). Use at your own risk
> and beware of fatal brain damage, blah blah blah, yada yada yada.
> Feedback is much appreciated anyway.
>
> spp_sicmple is a very simple Snort preprocessor that keeps state on some
> ICMP query/response type packets. This means that Snort will generate an
> alert when it sees a reply packet without first seeing its request.
> At the moment, echo request/echo reply are the only types fully (or
> almost fully) supported. spp_sicmple can be used to detect
> misconfigured routers/hosts and some covert channels (e.g. the most common
> versions of Stacheldraht) etc etc.

You can a set of call backs for spp_conversation now (check out the
psWatch function).  You can delete the conversation at the end of it
if you see a real "session terminator" and/or add a call back that
happens on session termination :-)

It's kinda neat code that will hopefully evolve rather quickly.  1.8.7
is "done".  Its going to be packed up and shipped out the door ASAP. :-)
-- 
Chris Green <cmg at ...402...>
Eschew obfuscation.





More information about the Snort-devel mailing list