[Fwd: Re: [Snort-devel] Input-Plugin]

Nico svf_rebell at ...224...
Sun Feb 5 01:28:08 EST 2006


Roland Turner wrote:
> Not so much "improperly" as incompletely. You've still not said much
> about what your source of packets is. You're free to keep this to
> yourself of course, but absent a straightforward way to do this, knowing
> more about the context in which you're trying to work (e.g. knowing
> where your data is coming from) is likely to inform better suggestions.
> 

I apologize. The setup is as follows:

Different Sensors(libpcap) export packet information via IPFIX to a
concentrator. This concentrator should manage different detection
modules. This is actually done by writing the recieved data to
sequential files on a RAM disk and inform the detection modules about
the newly written files via a shared memory segment.

(modified) Snort should work as a detection module.

I hope i answered some questions and not generated a lot more.

> The current snort code is pretty strongly wedded to libpcap and libipq.
> The lines of attack that I'd consider are:

Thanks a lot for the answers.

Nico




More information about the Snort-devel mailing list