[Snort-devel] Patch for supporting remote adapters in snort

Fulvio Risso fulvio.risso at ...157...
Thu May 22 05:28:06 EDT 2003


> -----Original Message-----
> From: Chris Green [mailto:cmg at ...402...]
> Sent: mercoledi 21 maggio 2003 16.19
> To: Fulvio Risso
> Cc: snort-devel at lists.sourceforge.net; winpcap-users at ...1989...
> Subject: Re: [Snort-devel] Patch for supporting remote adapters in snort
>
>
> "Fulvio Risso" <fulvio.risso at ...157...> writes:
>
> > Hello folks.
> >
> > As you may have been noticed, the new WinPcap 3.0 adds support for1
> > remote capture.  I think this could be very useful in snort as well.
> > The changes required to support this feature are really limited.
>
> Good Day Fulvio,
>
> I'm perhaps a bit naive but I'm having trouble understanding the use
> of such a feature. Is it so that windows users can get the same type
> of functionality as ssh host tcpdump -s 1514 -w - | snort -dev -r - so
> they can use all their myriad of trouble shooting apps and install a
> single remote capture thingie?

Yes.
You can have an host (currently Win32, but linux and BSD are working as
well, although the code is not public yet) which act as a probe and that
capture all the packets (or a subset of them, depending on the filter).
This probe sends packets back to the collecting host (where you have
tcpdump, snort, whatever), where your favourite app processes them.


> I don't see this being useful for IDS because of the latency but for

Data is returned back by means of a TCP connection, but you can use UDP
(optional).


> trouble shooting type applications, I understand it.

I don't know if this can be useful, although I presume it is.

What I know is that:
- the changes are so limited that I think is stupid not include them into
the current code
- these changes do not have any drawbacks (these patches do not affect the
normal behaviour in any way)
- you can run your favourite app and your favourite OS, while the probe can
run on another workstation with another OS
- it could be a good idea to implement the probe in network routers. In this
case, the remote capture is a big win because you don't have access to the
OS of the router, but you are allowed to capture packets flowing in the
device. I'm aware that at least one router family (Cisco MDS) partially
implements this feature.



>
> Does it still act like a normal filter ( a remote pcap without a bpf
> filter seems like a lossy interface)?

All the feature you can have locally are supported in the remote capture as
well.

Let me know,

	fulvio





More information about the Snort-devel mailing list