[Snort-devel] snort distributed

Martin Muench mmuench at ...1877...
Mon Feb 7 05:16:33 EST 2005


Hi everyone

I'm a student from germany and searching for a interessting 
project for my diploma.

I was playing arround with snort for a while and would like to make
snort to a distributed system.

The problem:

Image you have a network which uses dynamic routing (in this 
simple example 2 routes). 
You have 2 snort sensors one in each route. Now we try to connect
to a tcp server behind the two sensors. The three way handshake was
going over route 1 and the stream4 preprocessor from sensor1 has the
session it in his state-table.

When the route is changing and we are using route 2 for the rest of the
session, the sensor2 will drop the packets cause he has no entry in his
state table

Solution:

Hm, as far as I know, the only solution would be to implement snort as a
distributed system (and I don't mean the place where you store logs
and alerts from different sensors). It affects not only stream4, think
about "get /etc/" goes over sensor1 and "passwd" over sensor2.... 

The question(s):

Well to be honest, I didn't take much time to research the snort source
code, I just want to ask if it is possible for a experienced c
programmer to add this feature to snort in 4 or 5 months (full time) ?

Are there any projects which are targeting this problem already ?

Any other interesting problems to solve ???

thanks

martin






More information about the Snort-devel mailing list