[Snort-sigs] Re: snort v1.9 and iptables
jed at ...1173...
Thu Jan 2 13:45:59 EST 2003
I think what you looking for is the snort-inline patch. The snort-inline patch
works with iptables via netfilter. At this point there is little in the way
of documentation, and it only works on linux 2.4.x and it requires libipq. I
have had very little time to work on it recently, but it does support a
You can do content replacement on tcp packets by doing (stupid example):
alert tcp any any -> any 80 (msg:"cmd.exe replaced"; content:"cmd.exe";
This rule will watch for the content cmd.exe going to tcp port 80 and will
replace the "cmd.exe" with "foo.bar" The main limitation is that the replace
string must be the same length as the matched string. Replace should work
fine for tcp packets, I need to fix udp checksums... the current patch does
not recalculate the udp checksums correctly.
You should be able to find the latest copy of snort-inline somewhere under the
downloads section on snort.org. It is using snort 1.9, but it is not up to
date. Getting snort inline updated to the latest snort and writing some real
documentation is on my to do list, but at the moment my plate is rather full.
Perhaps some other kind soul would update the patch to work with current
On Thursday 02 January 2003 02:54 am, Russell Fulton wrote:
> On Thu, 2003-01-02 at 21:20, Roanne Tang wrote:
> > Found this : Snort now supports IPTables "Netfilter" via libipq with the
> > link below.
> > http://www.prismnet.com/~aef/index2.html
> this appears old (last date August 2001), interesting idea but
> development appears to have petered out. Hogwash (referenced from that
> page is still going although not a lot happening now -- last beta
> release 6 months ago...
More information about the Snort-sigs