[Snort-devel] Re: [Snort-users] Distributed Snort

Paul Poh paul at ...1481...
Thu Nov 14 10:50:03 EST 2002

Frank Knobbe wrote:
> I appreciate your offer, but my main goal is really the input plugin on
> the central sensor (see other posting with ASCII drawing). Since that
> has to receive the data, I'm not sure how easy SSL would be to
> integrate. I was thinking clear-text and let folks pump the data over
> SSH. Or optionally TwoFish encrypted (the network connectivity concept
> is similar to Snortsam, with an accept list on the central sensor).

Ahhh. I see what you mean. It's a nice idea.

The output-plugin I wrote is essentially a publisher. It allows a single 
subscriber (or client) to connect to it and as snort generates alerts or 
logs it will publish the events to the client. When there is no client 
connected, it caches the events in a file.

> I'm not sure what data you are piping over SSL, but my plan is to just
> grap the packet struct and the event struct as they are since these are
> provided to the output plugins. I don't plan on separating the data into
> little components. I'd rather just hand over the whole struct.
> What fields does your plugin forward? Do you break out the IP info or
> just transmit the struct?

I transmit the entire UnifiedLog and UnifiedAlert struct after I convert 
the fields to network-byte order. I also added a UnifiedStat struct 
which actually the PacketCount struct type so that it is possible to 
have snort emit statistics via the output-plugin.

More information about the Snort-devel mailing list