[Snort-devel] Snort Dynamic Preprocessor for BACnet

Russ Combs (rucombs) rucombs at ...3461...
Fri May 9 09:01:01 EDT 2014


Glad to hear you are making progress.  As for rate limiting, the closest thing would be rate_filter, although that is not a preprocessor.  The rate filter changes the action on a rule (eg from alert to drop).  You might try that out to see how it works and then look at the code to see if it helps you with your effort.

________________________________
From: highend root [highend at ...3447...]
Sent: Thursday, May 08, 2014 10:16 AM
To: Russ Combs (rucombs)
Subject: Snort Dynamic Preprocessor for BACnet

Hello Mr. Combs,

I already contacted you at the end of March regarding the development
of a dynamic preprocessor for the BACnet building automation
protocol.
Work is in good progress so far but you may point me in the right
direction on how to implement a kind of stateful normalization.
As a simple example:

  Drop or limit the number of messages with the same content (or of the
  same type) within a time window.

Is there an implementation of similar kind within another preprcessor
which I could used as a guide?
An answer is very much appreciated.

Best Regards
Harry Haerpfer

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20140509/9c0575ec/attachment.html>


More information about the Snort-devel mailing list