[Snort-devel] snort distributed
mmuench at ...1877...
Mon Feb 7 05:16:33 EST 2005
I'm a student from germany and searching for a interessting
project for my diploma.
I was playing arround with snort for a while and would like to make
snort to a distributed system.
Image you have a network which uses dynamic routing (in this
simple example 2 routes).
You have 2 snort sensors one in each route. Now we try to connect
to a tcp server behind the two sensors. The three way handshake was
going over route 1 and the stream4 preprocessor from sensor1 has the
session it in his state-table.
When the route is changing and we are using route 2 for the rest of the
session, the sensor2 will drop the packets cause he has no entry in his
Hm, as far as I know, the only solution would be to implement snort as a
distributed system (and I don't mean the place where you store logs
and alerts from different sensors). It affects not only stream4, think
about "get /etc/" goes over sensor1 and "passwd" over sensor2....
Well to be honest, I didn't take much time to research the snort source
code, I just want to ask if it is possible for a experienced c
programmer to add this feature to snort in 4 or 5 months (full time) ?
Are there any projects which are targeting this problem already ?
Any other interesting problems to solve ???
More information about the Snort-devel