[Snort-users] modules (was: announcement & questions: user sp ace firewall)

Austad, Jay austad at ...432...
Wed Nov 29 20:02:41 EST 2000


I was looking at this and thinking...  How modular is snort?  How hard would
it be to make it so if someone wanted another feature, they could just load
the module in the .conf file by putting something like:
module /usr/lib/snort/modules/firewall_module.so
module /usr/lib/snort/modules/oracledb_logger.so

And then they could take advantage of the added functionality by putting
extra options in rulesets, or adding more configuration lines which tell
that module what to do.

Then, the core functionality of snort would be the same, and it wouldn't
require extensive modifications everytime someone wanted to add a feature.
I don't know how feasible this is, or maybe it's already possible...  Just a
thought.

Jay

-----Original Message-----
From: Dan Hollis [mailto:goemon at ...20...]
Sent: Wednesday, November 29, 2000 5:52 PM
To: Todd Lewis
Cc: Martin Roesch; Snort Users
Subject: Re: [Snort-users] announcement & questions: user space firewall


On Wed, 29 Nov 2000, Todd Lewis wrote:
> On Tue, 28 Nov 2000, Martin Roesch wrote:
> > > 5) PROPOSED CHANGES
> > >         A) MULTIPLE ACTIONS PER RULE
> > Ok, this doesn't look like it'd be too terribly hard to implement.  One
> > interesting thing to consider is the interaction that this will have
with
> > Andrew Baker's multi-level alerts that will be coming out in Snort 1.7.
> Would it be the end of the world if I added this now?  I'm eager to get
this
> work done.

How about multiple checks per rule, sort of like ipchains where you can
chain rules together. This could cut down on false alarms by allowing more
precise criteria for packet matching.

-Dan

_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
http://lists.sourceforge.net/mailman/listinfo/snort-users



More information about the Snort-users mailing list