[Snort-devel] [Snort-users] Interested in developing a preprocessor; want all the documentation I can get.

Tony Robinson deusexmachina667 at ...2499...
Tue Aug 13 22:00:53 EDT 2013


hm... sort of in keeping in the same thread here, does anyone know if
daemonlogger would do this or could be configured to forward traffic snort
already preprocessed to a virtual interface/soft tap?


On Tue, Aug 13, 2013 at 7:27 PM, Tony Robinson
<deusexmachina667 at ...2499...>wrote:

> appreciate all the feedback. apologies for the delay sleeping, work, etc.
> you get the idea.
>
> I was thinking DAQ is where I would want to look as well, but I was under
> the impression that DAQ essentially takes the place of libpcap -- you're
> using DAQ to grab the raw traffic off the wire before passing it to snort
> for "cleanup" and other purposes. I don't know if this assertion is correct
> or not -- I mean, is daq used to pass reassembled traffic between
> preprocessors?
>
>  I'm not a dev either, just another infosec enthusiast and I just thought
> that this would be something awesome since snort is really good at
> reassembling traffic and prads/p0f could totally take advantage of
> reassembled streams for service and OS detection. This in turn can create a
> feedback loop for building reassembly policies and (eventually) be used to
> make suggestions for rules to enable/disable via pulled pork or another
> rule management tool.
>
>
> On Tue, Aug 13, 2013 at 8:56 AM, Joel Esler <jesler at ...402...> wrote:
>
>> On Aug 12, 2013, at 9:52 PM, Tony Robinson <deusexmachina667 at ...2499...>
>> wrote:
>>
>> this gives me a good starting point... Do you or anyone else for that
>> matter know if the starter kit is compatible with the latest snort
>> versions? I'm assuming so, since the web page refers to snort 2.9.4.x while
>> the text doc in the tarball refers to snort 2.9.0.x
>>
>> also specifically what I'm looking to do is take normalized traffic in
>> either a passive or inline config and pass the cleaned up/reassembled
>> traffic to prads or p0f for more accurate host detection, and in turn prads
>> or p0f could be used to build more accurate stream 5 or frag 3 host
>> policies.. makes sense, no?
>>
>>
>> It’s compatible.
>>
>>
>
>
> --
> when does reality end? when does fantasy begin?
>



-- 
when does reality end? when does fantasy begin?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20130813/cf4e2407/attachment.html>


More information about the Snort-devel mailing list