[Snort-devel] Custom Input of packets into Snort

Russ Combs rcombs at ...402...
Sat May 21 17:44:53 EDT 2011


On Sat, May 21, 2011 at 5:06 PM, David Bramer <david.bramer at ...2499...>wrote:

> Hi,
>
> Due to legacy reasons I receive packets encapsulated in a custom
> format created by my company. What I want to do is hack snort so that
> I can listen on a network interface, decapsulate the input (This is
> easy) and pass the packet into snort. I've been looking at the source
> as how best to achieve this.
>
> I've considered modifying the -r option used for single pcap file
> which calls PQ_Single, alternatively creating something that calls
> PQ_Multi.
>
> Am I on the right tracks or is there something better that I can do,
> for instance I have read a little about preprocessors, are those
> something that would allow me to decapsulate the stuff I get?
>

Do you have a unique DLT (data link type) value to key off of?

It sounds like creating a custom grinder would be the easiest (and best)
solution.

Take a look at DecodeNullPkt() (in decode.c, called from snort.c) as an
example.

>
> Cheers
>
> David
>
>
> ------------------------------------------------------------------------------
> What Every C/C++ and Fortran developer Should Know!
> Read this article and learn how Intel has extended the reach of its
> next-generation tools to help Windows* and Linux* C/C++ and Fortran
> developers boost performance applications - including clusters.
> http://p.sf.net/sfu/intel-dev2devmay
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20110521/2211db4d/attachment.html>


More information about the Snort-devel mailing list