[Snort-users] RE: How to use -A unsock option

Sean C Doherty seand at ...232...
Tue Aug 8 16:27:22 EDT 2000


Hi Jed and Fyodor,

Thanks for the response on this.  I will check out snortnet, it seems like
the way to go for now.  In the interim as a last resort I have written a
"tail" like program to monitor the alert file and that seems to be working
ok.

The parsed "semi-cooked" raw data sounds like a good idea and would
certainly help some of us non-technically expert folks to participate in
getting  new functionality from snort to meet specific needs that may not be
generally useful in other environments.

Sean D

> -----Original Message-----
> From: snort-users-admin at lists.sourceforge.net
> [mailto:snort-users-admin at lists.sourceforge.net]On Behalf Of Fyodor
> Sent: Tuesday, August 08, 2000 12:42 PM
> To: Jed Pickel
> Cc: Sean C Doherty; Snort-Users
> Subject: Re: [Snort-users] RE: How to use -A unsock option
>
>
> ~ :Hey Sean,
> ~ :
> ~ :I think Fyodor and I have both experimented with this in the past. The
> ~ :problem you will run into is that once you have a process receiving
> ~ :the data (msg, and packet) from the socket you need to decode the
> ~ :packet. Before you can do that effectively you need to either extract
> ~ :a lot of functionality from snort and make a library out of it or
> ~ :rewrite a good chunk of snort -- just do decode that packet. While I
> ~ :think we plan to someday have libsnort we have not had a chance to
> ~ :work on it for quite some time.
> ~ :
>
>  What I am thinking of for the moment now, is to parse `semi-cooked' raw
> data format to the spool daemon, so it doesn't need to process packets (it
> would have all flags and offsets set in structure along with the raw
> packet). Almost the same way it works with snortnet, and I believe spool
> daemon should improve performance and functionality.
>
>  As for snortlib (libary of routines used in snort) most of them need to
> be rewritten to be easily used in snort as well as in standalone
> library. I am finishing ICMP_unreach extra-information dump addition on
> the moment and it even was easier to write separate quick IP packet
> printing routine rather than trying to ruse snort routines since the way
> they are now, they are too specific for general use.
>
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> http://lists.sourceforge.net/mailman/listinfo/snort-users





More information about the Snort-users mailing list