[Snort-devel] [Snort-users] Interested in developing a preprocessor; want all the documentation I can get.

Tony Robinson deusexmachina667 at ...2499...
Tue Aug 13 19:27:26 EDT 2013


appreciate all the feedback. apologies for the delay sleeping, work, etc.
you get the idea.

I was thinking DAQ is where I would want to look as well, but I was under
the impression that DAQ essentially takes the place of libpcap -- you're
using DAQ to grab the raw traffic off the wire before passing it to snort
for "cleanup" and other purposes. I don't know if this assertion is correct
or not -- I mean, is daq used to pass reassembled traffic between
preprocessors?

 I'm not a dev either, just another infosec enthusiast and I just thought
that this would be something awesome since snort is really good at
reassembling traffic and prads/p0f could totally take advantage of
reassembled streams for service and OS detection. This in turn can create a
feedback loop for building reassembly policies and (eventually) be used to
make suggestions for rules to enable/disable via pulled pork or another
rule management tool.


On Tue, Aug 13, 2013 at 8:56 AM, Joel Esler <jesler at ...402...> wrote:

> On Aug 12, 2013, at 9:52 PM, Tony Robinson <deusexmachina667 at ...2499...>
> wrote:
>
> this gives me a good starting point... Do you or anyone else for that
> matter know if the starter kit is compatible with the latest snort
> versions? I'm assuming so, since the web page refers to snort 2.9.4.x while
> the text doc in the tarball refers to snort 2.9.0.x
>
> also specifically what I'm looking to do is take normalized traffic in
> either a passive or inline config and pass the cleaned up/reassembled
> traffic to prads or p0f for more accurate host detection, and in turn prads
> or p0f could be used to build more accurate stream 5 or frag 3 host
> policies.. makes sense, no?
>
>
> It’s compatible.
>
>


-- 
when does reality end? when does fantasy begin?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20130813/63fbd08f/attachment.html>


More information about the Snort-devel mailing list