[Snort-devel] Snort Dynamic Preprocessor for BACnet

Russ Combs (rucombs) rucombs at ...3461...
Tue May 20 19:43:26 EDT 2014


________________________________________
From: highend [highend at ...3447...]
Sent: Tuesday, May 20, 2014 4:54 PM
To: Russ Combs (rucombs)
Subject: Re: Snort Dynamic Preprocessor for BACnet

Hello Mr. Combs,

rate_filter would do almost perfectly fit my needs.
Is there a way to use it in a dynamic preprocessor w/o rewriting it?

* You would want to use these files:

    src/sfutil/sfrf.c
    src/sfutil/sfrf.h

Am 09.05.2014 15:01, schrieb Russ Combs (rucombs):
> Glad to hear you are making progress.  As for rate limiting, the closest
> thing would be rate_filter, although that is not a preprocessor.  The
> rate filter changes the action on a rule (eg from alert to drop).  You
> might try that out to see how it works and then look at the code to see
> if it helps you with your effort.
>
> ------------------------------------------------------------------------
> *From:* highend root [highend at ...3447...]
> *Sent:* Thursday, May 08, 2014 10:16 AM
> *To:* Russ Combs (rucombs)
> *Subject:* Snort Dynamic Preprocessor for BACnet
>
> Hello Mr. Combs,
>
> I already contacted you at the end of March regarding the development
> of a dynamic preprocessor for the BACnet building automation
> protocol.
> Work is in good progress so far but you may point me in the right
> direction on how to implement a kind of stateful normalization.
> As a simple example:
>
>   Drop or limit the number of messages with the same content (or of the
>   same type) within a time window.
>
> Is there an implementation of similar kind within another preprcessor
> which I could used as a guide?
> An answer is very much appreciated.
>
> Best Regards
> Harry Haerpfer
>





More information about the Snort-devel mailing list