[Fwd: Re: [Snort-devel] Input-Plugin]
svf_rebell at ...224...
Sun Feb 5 01:28:08 EST 2006
Roland Turner wrote:
> Not so much "improperly" as incompletely. You've still not said much
> about what your source of packets is. You're free to keep this to
> yourself of course, but absent a straightforward way to do this, knowing
> more about the context in which you're trying to work (e.g. knowing
> where your data is coming from) is likely to inform better suggestions.
I apologize. The setup is as follows:
Different Sensors(libpcap) export packet information via IPFIX to a
concentrator. This concentrator should manage different detection
modules. This is actually done by writing the recieved data to
sequential files on a RAM disk and inform the detection modules about
the newly written files via a shared memory segment.
(modified) Snort should work as a detection module.
I hope i answered some questions and not generated a lot more.
> The current snort code is pretty strongly wedded to libpcap and libipq.
> The lines of attack that I'd consider are:
Thanks a lot for the answers.
More information about the Snort-devel