[Snort-sigs] Re: snort v1.9 and iptables

Jed Haile jed at ...1173...
Thu Jan 2 13:45:59 EST 2003


I think what you looking for is the snort-inline patch. The snort-inline patch 
works with iptables via netfilter. At this point there is little in the way 
of documentation, and it only works on linux 2.4.x and it requires libipq. I 
have had very little time to work on it recently, but it does support a 
replace keyword.

You can do content replacement on tcp packets by doing (stupid example):
alert tcp any any -> any 80 (msg:"cmd.exe replaced"; content:"cmd.exe"; 
replace:"foo.bar";)

This rule will watch for  the content cmd.exe going to tcp port 80 and will 
replace the "cmd.exe" with "foo.bar" The main limitation is that the replace 
string must be the same length as the matched string. Replace should work 
fine for tcp packets, I need to fix udp checksums... the current patch does 
not recalculate the udp checksums correctly.

You should be able to find the latest copy of snort-inline somewhere under the 
downloads section on snort.org. It is using snort 1.9, but it is not up to 
date. Getting snort inline updated to the latest snort and writing some real 
documentation is on my to do list, but at the moment my plate is rather full. 
Perhaps some other kind soul would update the patch to work with current 
snort...

Jed

On Thursday 02 January 2003 02:54 am, Russell Fulton wrote:
> On Thu, 2003-01-02 at 21:20, Roanne Tang wrote:
> > Found this : Snort now supports IPTables "Netfilter" via libipq with the
> > link below.
> > http://www.prismnet.com/~aef/index2.html
>
> this appears old (last date August 2001), interesting idea but
> development appears to have petered out.  Hogwash (referenced from that
> page is still going although not a lot happening now -- last beta
> release 6 months ago...





More information about the Snort-sigs mailing list