Snort mailing list archives
Re: Snort Dynamic Preprocessor for BACnet
From: "Russ Combs (rucombs)" <rucombs () cisco com>
Date: Tue, 20 May 2014 23:43:26 +0000
________________________________________
From: highend [highend () onycs com]
Sent: Tuesday, May 20, 2014 4:54 PM
To: Russ Combs (rucombs)
Subject: Re: Snort Dynamic Preprocessor for BACnet
Hello Mr. Combs,
rate_filter would do almost perfectly fit my needs.
Is there a way to use it in a dynamic preprocessor w/o rewriting it?
* You would want to use these files:
src/sfutil/sfrf.c
src/sfutil/sfrf.h
Am 09.05.2014 15:01, schrieb Russ Combs (rucombs):
Glad to hear you are making progress. As for rate limiting, the closest thing would be rate_filter, although that is not a preprocessor. The rate filter changes the action on a rule (eg from alert to drop). You might try that out to see how it works and then look at the code to see if it helps you with your effort. ------------------------------------------------------------------------ *From:* highend root [highend () onycs com] *Sent:* Thursday, May 08, 2014 10:16 AM *To:* Russ Combs (rucombs) *Subject:* Snort Dynamic Preprocessor for BACnet Hello Mr. Combs, I already contacted you at the end of March regarding the development of a dynamic preprocessor for the BACnet building automation protocol. Work is in good progress so far but you may point me in the right direction on how to implement a kind of stateful normalization. As a simple example: Drop or limit the number of messages with the same content (or of the same type) within a time window. Is there an implementation of similar kind within another preprcessor which I could used as a guide? An answer is very much appreciated. Best Regards Harry Haerpfer
------------------------------------------------------------------------------ "Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE Instantly run your Selenium tests across 300+ browser/OS combos. Get unparalleled scalability from the best Selenium testing platform available Simple to use. Nothing to install. Get started now for free." http://p.sf.net/sfu/SauceLabs _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Re: Snort Dynamic Preprocessor for BACnet Russ Combs (rucombs) (May 09)
- Message not available
- Re: Snort Dynamic Preprocessor for BACnet Russ Combs (rucombs) (May 20)
- Message not available