[Snort-users] iptable support

Frontgate Lab mdiwan at ...200...
Fri Oct 12 06:27:13 EDT 2001


try ebtables and iptables in combination with snort and guardian (
guardian and snort would of course have to be "tweaked " a bit )

i am working on a concept compiler for this right now.

 please check out http://bridge.sourceforge.net
 and  http://users.pandora.be/bart.de.schuymer/ebtables

Madhav Diwan




Joshua Brindle wrote:
> 
> nah, i've looked at hogwash, and i like the concept but i do not like the implementation. Hogwash does userspace copying from interface to interface and this is not what i want, i want something that fits in with netfilter so that it can take advantage of linux's other abilities (ie: bridging, routing, etc) particularly hogwash is meant as an inline stackless active NIDS, but i want something more like a switch (right now my setup as 3 nics, lan, dmz, internet) and hogwash can't do this or do any routing or anything, and why set up 2 or 3 machines to do what 1 can? I've taken a look at hogwash-iptables and i still don't really like the implementation, and hogwash seems to be bound to (as of right now anyway) snort 1.7.1 so it  can't take advantage of anything newly added, i want either a drop in pcap driver, or some way for snort to interact nativly with netfilter. Thanks though.
> 
> Joshua Brindle
> 
> >>> "Benjamin W. Ritcey" <ben at ...3792...> 10/11/01 22:59 PM >>>
> You want Hogwash
> 
> http://hogwash.sourceforge.net/
> 
> -----Original Message-----
> From: snort-users-admin at lists.sourceforge.net
> [mailto:snort-users-admin at lists.sourceforge.net]On Behalf Of Joshua
> Brindle
> Sent: Thursday, October 11, 2001 11:39 PM
> To: snort-users at lists.sourceforge.net
> Subject: [Snort-users] iptable support
> 
> There was some talk in november of last year about a version of snort
> written to use iptables but i can't find this anywhere, and the authors
> email @secureworks.net seems not to work anymore. The responce said that
> snort would likely at some time be more modular and able to support
> alternate packet capturers, but it seems like snort is still very reliant on
> pcap. The reason i'm wondering is because i want a sort of active IDS that
> will simply drop packets that match a signature, instead of trying to reset
> the connection. I wrote a pcap 'driver' that uses ipq but it seems that the
> m->payload and bp are in different formats and i don't know how to convert
> between them, the patch is at
> http://web.snu.edu/~jbrindle/pcap-netfilter.diff if anyone wants to take a
> look and see what they can do, or tell give me more info on snorts state as
> non-pcap reliant. Thanks for any info or pointers. :)
> 
> Joshua Brindle
> UNIX Administrator
> Southern Nazarene University
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=ort-users


Note: The information contained in this message may be privileged and confidential and protected from disclosure.  If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer.  Thank you.  Wagner Weber & Williams




More information about the Snort-users mailing list