[Snort-devel] Custom Input of packets into Snort

David Bramer david.bramer at ...2499...
Sat May 21 17:06:11 EDT 2011


Hi,

Due to legacy reasons I receive packets encapsulated in a custom
format created by my company. What I want to do is hack snort so that
I can listen on a network interface, decapsulate the input (This is
easy) and pass the packet into snort. I've been looking at the source
as how best to achieve this.

I've considered modifying the -r option used for single pcap file
which calls PQ_Single, alternatively creating something that calls
PQ_Multi.

Am I on the right tracks or is there something better that I can do,
for instance I have read a little about preprocessors, are those
something that would allow me to decapsulate the stuff I get?

Cheers

David




More information about the Snort-devel mailing list