[Snort-users] Snort development: snortdog

Fyodor fygrave at ...121...
Sat Aug 5 07:21:46 EDT 2000


Hello folks,
 I have been playing around with some commercial IDS recently (realsecure,
netranger etc), and I think I have got an interesting idea to be
implemented for snort. To be a part of snortnet, but not only.

 What I am thinking of is coding a watchdog process for snort which would
perform following functions:

1. Watchdog'ing snort process: i.g. you don't have to start snort itself
manually anymore, you just put path, command line arguments into 
sndog.conf and it would automagically run, restart, shutdown the process
itself.

2. Log messages spooling: at the beginning I was thinking of spooling
alert messages for snortnet only, since it could take a while to transmit
alert message to a central console, and during this time packets could be
lost. But now I think we could utilize spooling for most of the other
plugins except for fastalert, i.g. snort could be passing alert messages
to watchdog process which would spool them and deliver apropriately
(database, logfile, whatever). This way we could split the load of snort
sensor process itself and improve performance.

3. Automagic snort rules retrival and updates. I was given this idea while
we were in Taipei, and I think watchdog could take care of that. The way I
am thinking of that is that we would have some central rules dirstribution
center (several protocols could be supported even, maybe make it possible
to fetch stuff from website directly, althrough I would not recommend
that) and snortdog would request rules files ID on the manner similar to
DNS secondary zone transfer. if the ID is higher than current, a rule file
transfer would be performed.

Any thoughts on this topic?


Another note is for the devel.people mostly:

 I was also thinking of reformatting the snort source tree structure, as
it is now it seems to be messy so I was thinking of splitting the source
code into following cathegories:

core/
 plugins/

 Makefile and configure script would still be in root, so you still would
have to do ./configure; make; make install.

 first it will build plugins choosen (script would be used to enable,
disable plugins, download plugin sourcecode if nessesary etc), then snort
itself and link nessesary plugin objects.

This way we would be able to put extra modules for snort (sensor, console,
watchdog, whatever we would think to bring here) without overhelming root
source directory, what do you think?


Any feedback would be appreciated mucho :-)





More information about the Snort-users mailing list