[Snort-devel] Re: [Snort-users] Distributed Snort
fknobbe at ...337...
Thu Nov 14 10:08:04 EST 2002
On Thu, 2002-11-14 at 10:53, Paul Poh wrote:
> I had email to the list in July about a new output plugin that I was
> planning to write. I've actually just finished the first pass about two
> weeks or so ago. It works fine for my needs and it's been tested in my
> environment (ie Linux on x86 only).
> The plugin does what you described. The data format is based on the
> existing unified snort format. It does use SSL as the transport so
> OpenSSL is required.
I appreciate your offer, but my main goal is really the input plugin on
the central sensor (see other posting with ASCII drawing). Since that
has to receive the data, I'm not sure how easy SSL would be to
integrate. I was thinking clear-text and let folks pump the data over
SSH. Or optionally TwoFish encrypted (the network connectivity concept
is similar to Snortsam, with an accept list on the central sensor).
I'm not sure what data you are piping over SSL, but my plan is to just
grap the packet struct and the event struct as they are since these are
provided to the output plugins. I don't plan on separating the data into
little components. I'd rather just hand over the whole struct.
What fields does your plugin forward? Do you break out the IP info or
just transmit the struct?
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 307 bytes
Desc: This is a digitally signed message part
More information about the Snort-devel