Snort mailing list archives
Re: Custom Input of packets into Snort
From: Russ Combs <rcombs () sourcefire com>
Date: Sat, 21 May 2011 17:44:53 -0400
On Sat, May 21, 2011 at 5:06 PM, David Bramer <david.bramer () gmail com>wrote:
Hi, Due to legacy reasons I receive packets encapsulated in a custom format created by my company. What I want to do is hack snort so that I can listen on a network interface, decapsulate the input (This is easy) and pass the packet into snort. I've been looking at the source as how best to achieve this. I've considered modifying the -r option used for single pcap file which calls PQ_Single, alternatively creating something that calls PQ_Multi. Am I on the right tracks or is there something better that I can do, for instance I have read a little about preprocessors, are those something that would allow me to decapsulate the stuff I get?
Do you have a unique DLT (data link type) value to key off of? It sounds like creating a custom grinder would be the easiest (and best) solution. Take a look at DecodeNullPkt() (in decode.c, called from snort.c) as an example.
Cheers David ------------------------------------------------------------------------------ What Every C/C++ and Fortran developer Should Know! Read this article and learn how Intel has extended the reach of its next-generation tools to help Windows* and Linux* C/C++ and Fortran developers boost performance applications - including clusters. http://p.sf.net/sfu/intel-dev2devmay _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel
------------------------------------------------------------------------------ What Every C/C++ and Fortran developer Should Know! Read this article and learn how Intel has extended the reach of its next-generation tools to help Windows* and Linux* C/C++ and Fortran developers boost performance applications - including clusters. http://p.sf.net/sfu/intel-dev2devmay
_______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel
Current thread:
- Custom Input of packets into Snort David Bramer (May 21)
- Re: Custom Input of packets into Snort Russ Combs (May 21)