Re: [Snort-users] Interested in developing a preprocessor; want all the documentation I can get.

[Tony Robinson <deusexmachina667 () gmail com>]

appreciate all the feedback. apologies for the delay sleeping, work, etc.
you get the idea.

I was thinking DAQ is where I would want to look as well, but I was under
the impression that DAQ essentially takes the place of libpcap -- you're
using DAQ to grab the raw traffic off the wire before passing it to snort
for "cleanup" and other purposes. I don't know if this assertion is correct
or not -- I mean, is daq used to pass reassembled traffic between
preprocessors?

 I'm not a dev either, just another infosec enthusiast and I just thought
that this would be something awesome since snort is really good at
reassembling traffic and prads/p0f could totally take advantage of
reassembled streams for service and OS detection. This in turn can create a
feedback loop for building reassembly policies and (eventually) be used to
make suggestions for rules to enable/disable via pulled pork or another
rule management tool.


On Tue, Aug 13, 2013 at 8:56 AM, Joel Esler <jesler () sourcefire com> wrote:

> On Aug 12, 2013, at 9:52 PM, Tony Robinson <deusexmachina667 () gmail com>
> wrote:
>
> this gives me a good starting point... Do you or anyone else for that
> matter know if the starter kit is compatible with the latest snort
> versions? I'm assuming so, since the web page refers to snort 2.9.4.x while
> the text doc in the tarball refers to snort 2.9.0.x
>
> also specifically what I'm looking to do is take normalized traffic in
> either a passive or inline config and pass the cleaned up/reassembled
> traffic to prads or p0f for more accurate host detection, and in turn prads
> or p0f could be used to build more accurate stream 5 or frag 3 host
> policies.. makes sense, no?
>
>
> It’s compatible.


-- 
when does reality end? when does fantasy begin?

------------------------------------------------------------------------------
Get 100% visibility into Java/.NET code with AppDynamics Lite!
It's a free troubleshooting tool designed for production.
Get down to code-level detail for bottlenecks, with <2% overhead. 
Download for free and get started troubleshooting in minutes. 
http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk

_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!