[Snort-devel] any function in Snort to drop packets?

Jerry Zhang jerry3558 at ...2499...
Mon Oct 22 16:14:32 EDT 2007


Hi,
Thanks.

I think it is necessary for me to run snort in Inline mode for using
InlineDrop(p), right? But I do not want it run in inline mode.

I want to organize my preprocessors and the snort detection engine like
this:

Preprocessor1 ---> Preprocessor2 ---> Preprocessor3 ----> snort detection
engine (rule based).

1) Preprocessor1 decides which packets should be handled in Preprocessor2,
2) Preprocessor2 decides which packets (some out of 1) ) should be handled
in Preprocessor3,
3) Preprocessor 3 decides which packets (some out of 2) ) should be checked
in snort detection engine.

To make it work, How can I achieve things below:

1) How can I make the preprocessors in order in snort? Say, Preprocessor1
touch the packet first and then Preprocessor2 and so on.

2) After Preprocessor1 decides which packets should be passed to
Preprocessor2 while others should be dropped, then Preprocessor1 wants to
drop the packets. How can I make this "drop" action in practice?

Thanks


2007/10/19, Will Metcalf <william.metcalf at ...2499...>:
>
> InlineDrop(p);
>
> On 10/19/07, Jerry Zhang <jerry3558 at ...2499...> wrote:
> > Hi
> >
> > Is there any function I can use to drop a certain packet in preprocessor
> in
> > the snort?
> >
> > Thanks
> > jerry
> >
> >
> -------------------------------------------------------------------------
> > This SF.net email is sponsored by: Splunk Inc.
> > Still grepping through log files to find problems?  Stop.
> > Now Search log events and configuration files using AJAX and a browser.
> > Download your FREE copy of Splunk now >> http://get.splunk.com/
> > _______________________________________________
> > Snort-devel mailing list
> > Snort-devel at lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/snort-devel
> >
> >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20071022/c11a1bc7/attachment.html>


More information about the Snort-devel mailing list