[Snort-users] RE: How to use -A unsock option
fygrave at ...121...
Tue Aug 8 12:41:55 EDT 2000
~ :Hey Sean,
~ :I think Fyodor and I have both experimented with this in the past. The
~ :problem you will run into is that once you have a process receiving
~ :the data (msg, and packet) from the socket you need to decode the
~ :packet. Before you can do that effectively you need to either extract
~ :a lot of functionality from snort and make a library out of it or
~ :rewrite a good chunk of snort -- just do decode that packet. While I
~ :think we plan to someday have libsnort we have not had a chance to
~ :work on it for quite some time.
What I am thinking of for the moment now, is to parse `semi-cooked' raw
data format to the spool daemon, so it doesn't need to process packets (it
would have all flags and offsets set in structure along with the raw
packet). Almost the same way it works with snortnet, and I believe spool
daemon should improve performance and functionality.
As for snortlib (libary of routines used in snort) most of them need to
be rewritten to be easily used in snort as well as in standalone
library. I am finishing ICMP_unreach extra-information dump addition on
the moment and it even was easier to write separate quick IP packet
printing routine rather than trying to ruse snort routines since the way
they are now, they are too specific for general use.
More information about the Snort-users