RE: iptable support

["Joshua Brindle" <jbrindle () snu edu>]

> Interesting concept you're after, but I don't know of >anything that does
> that now.

How depressing, perhaps if someone could help me on the m->payload to bp conversion in that pcap patch it could be done 
very easily :) and with no modification to snort :) :) and with other pcap linked apps as well.

> Good luck in your search,

Thanks

Joshua

-----Original Message-----
From: Joshua Brindle [mailto:jbrindle () snu edu]
Sent: Friday, October 12, 2001 12:18 AM
To: ben () ritcey com
Subject: RE: [Snort-users] iptable support


nah, i've looked at hogwash, and i like the concept but i do not like the
implementation. Hogwash does userspace copying from interface to interface
and this is not what i want, i want something that fits in with netfilter so
that it can take advantage of linux's other abilities (ie: bridging,
routing, etc) particularly hogwash is meant as an inline stackless active
NIDS, but i want something more like a switch (right now my setup as 3 nics,
lan, dmz, internet) and hogwash can't do this or do any routing or anything,
and why set up 2 or 3 machines to do what 1 can? I've taken a look at
hogwash-iptables and i still don't really like the implementation, and
hogwash seems to be bound to (as of right now anyway) snort 1.7.1 so it
can't take advantage of anything newly added, i want either a drop in pcap
driver, or some way for snort to interact nativly with netfilter. Thanks
though.


Joshua Brindle

> > > "Benjamin W. Ritcey" <ben () ritcey com> 10/11/01 22:59 PM >>>
You want Hogwash

http://hogwash.sourceforge.net/

-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net]On Behalf Of Joshua
Brindle
Sent: Thursday, October 11, 2001 11:39 PM
To: snort-users () lists sourceforge net
Subject: [Snort-users] iptable support


There was some talk in november of last year about a version of snort
written to use iptables but i can't find this anywhere, and the authors
email @secureworks.net seems not to work anymore. The responce said that
snort would likely at some time be more modular and able to support
alternate packet capturers, but it seems like snort is still very reliant on
pcap. The reason i'm wondering is because i want a sort of active IDS that
will simply drop packets that match a signature, instead of trying to reset
the connection. I wrote a pcap 'driver' that uses ipq but it seems that the
m->payload and bp are in different formats and i don't know how to convert
between them, the patch is at
http://web.snu.edu/~jbrindle/pcap-netfilter.diff if anyone wants to take a
look and see what they can do, or tell give me more info on snorts state as
non-pcap reliant. Thanks for any info or pointers. :)

Joshua Brindle
UNIX Administrator
Southern Nazarene University

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list




_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users