[Snort-devel] Interested in developing a preprocessor; want all the documentation I can get.

Rodrigo Montoro(Sp0oKeR) spooker at ...2499...
Mon Aug 12 22:34:36 EDT 2013


Take a look at host attribute tables http://manual.snort.org/node22.html

Anyway this tool with nmap do something similar what you want I guess but
not analyzing traffic is passing on snort.

http://global-security.blogspot.com.br/2010/02/hogging-snort-host-attribute-table.html

Maybe studying DAQ you could get hook you want easier than a preproc.
Anyway as I said before I'm not a devel so I'm just looking as a infosec
guy.

Good luck!

regards,


On Mon, Aug 12, 2013 at 10:52 PM, Tony Robinson
<deusexmachina667 at ...2499...>wrote:

> this gives me a good starting point... Do you or anyone else for that
> matter know if the starter kit is compatible with the latest snort
> versions? I'm assuming so, since the web page refers to snort 2.9.4.x while
> the text doc in the tarball refers to snort 2.9.0.x
>
> also specifically what I'm looking to do is take normalized traffic in
> either a passive or inline config and pass the cleaned up/reassembled
> traffic to prads or p0f for more accurate host detection, and in turn prads
> or p0f could be used to build more accurate stream 5 or frag 3 host
> policies.. makes sense, no?
>
>
> On Mon, Aug 12, 2013 at 9:27 PM, Rodrigo Montoro(Sp0oKeR) <
> spooker at ...2499...> wrote:
>
>> I'm not a devel but for sure this url will help you =)
>>
>> http://www.snort.org/snort-downloads/dynamic-preprocessor-starter-kit/
>>
>> Regards,
>>
>>
>> On Mon, Aug 12, 2013 at 10:23 PM, Tony Robinson <
>> deusexmachina667 at ...2499...> wrote:
>>
>>> Title really says it all.
>>>
>>> Sorry for cross posting this into both users and the devel mailing list,
>>> but I'm looking to get as many sets of eyes as I can here.
>>>
>>> Do any of you have any experience developing snort preprocessors? I
>>> would like to try my at rolling one of my own, or figuring out how to pass
>>> normalized/preprocessed traffic to other network inspection tools -- to be
>>> quite honest, I have no idea what I'm doing  and am not sure if a
>>> preprocessor would be necessary to do this or not.
>>>
>>> I know that for the most part, there are readmes included with most of
>>> the source code, but if anyone has anymore solid documentation on how to do
>>> something like this, I need all the documentation I can get.
>>>
>>>
>>>
>>> --
>>> when does reality end? when does fantasy begin?
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> Get 100% visibility into Java/.NET code with AppDynamics Lite!
>>> It's a free troubleshooting tool designed for production.
>>> Get down to code-level detail for bottlenecks, with <2% overhead.
>>> Download for free and get started troubleshooting in minutes.
>>>
>>> http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk
>>> _______________________________________________
>>> Snort-devel mailing list
>>> Snort-devel at lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/snort-devel
>>> Archive:
>>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel
>>>
>>> Please visit http://blog.snort.org for the latest news about Snort!
>>>
>>
>>
>>
>> --
>> Rodrigo Montoro (Sp0oKeR)
>> http://spookerlabs.blogspot.com
>> http://www.twitter.com/spookerlabs
>> http://www.linkedin.com/in/spooker
>>
>
>
>
> --
> when does reality end? when does fantasy begin?
>



-- 
Rodrigo Montoro (Sp0oKeR)
http://spookerlabs.blogspot.com
http://www.twitter.com/spookerlabs
http://www.linkedin.com/in/spooker
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20130812/fea3f9ef/attachment.html>


More information about the Snort-devel mailing list