Snort mailing list archives
RE: iptable support
From: "Joshua Brindle" <jbrindle () snu edu>
Date: Thu, 11 Oct 2001 23:17:37 -0500
nah, i've looked at hogwash, and i like the concept but i do not like the implementation. Hogwash does userspace copying from interface to interface and this is not what i want, i want something that fits in with netfilter so that it can take advantage of linux's other abilities (ie: bridging, routing, etc) particularly hogwash is meant as an inline stackless active NIDS, but i want something more like a switch (right now my setup as 3 nics, lan, dmz, internet) and hogwash can't do this or do any routing or anything, and why set up 2 or 3 machines to do what 1 can? I've taken a look at hogwash-iptables and i still don't really like the implementation, and hogwash seems to be bound to (as of right now anyway) snort 1.7.1 so it can't take advantage of anything newly added, i want either a drop in pcap driver, or some way for snort to interact nativly with netfilter. Thanks though. Joshua Brindle
"Benjamin W. Ritcey" <ben () ritcey com> 10/11/01 22:59 PM >>>
You want Hogwash http://hogwash.sourceforge.net/ -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net]On Behalf Of Joshua Brindle Sent: Thursday, October 11, 2001 11:39 PM To: snort-users () lists sourceforge net Subject: [Snort-users] iptable support There was some talk in november of last year about a version of snort written to use iptables but i can't find this anywhere, and the authors email @secureworks.net seems not to work anymore. The responce said that snort would likely at some time be more modular and able to support alternate packet capturers, but it seems like snort is still very reliant on pcap. The reason i'm wondering is because i want a sort of active IDS that will simply drop packets that match a signature, instead of trying to reset the connection. I wrote a pcap 'driver' that uses ipq but it seems that the m->payload and bp are in different formats and i don't know how to convert between them, the patch is at http://web.snu.edu/~jbrindle/pcap-netfilter.diff if anyone wants to take a look and see what they can do, or tell give me more info on snorts state as non-pcap reliant. Thanks for any info or pointers. :) Joshua Brindle UNIX Administrator Southern Nazarene University _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- iptable support Joshua Brindle (Oct 11)
- RE: iptable support Benjamin W. Ritcey (Oct 11)
- <Possible follow-ups>
- RE: iptable support Joshua Brindle (Oct 11)
- Re: iptable support Frontgate Lab (Oct 12)
- RE: iptable support Joshua Brindle (Oct 12)