Re: [Netadm-devel] Hi~ Netadm members~ .. some project for ips tools
Status: Beta
Brought to you by:
linuxpark
Menu
▾
▴
Re: [Netadm-devel] Hi~ Netadm members~ .. some project for ips tools
|
From: EP8KHA E. <ep...@ho...> - 2006-03-02 23:04:39
|
Hi netadm group, I've been looking over the code for snort. So far I've dissected the initialzation portion of snort. For those who wants to look over the code, this is a great guide to help understand how the code is laid out http://afrodita.unicauca.edu.co/~cbedon/snort/snort.html From what I've seen, all we're doing is initializing the engine and giving it rules to process the packets. Getting the engine to work along side with our program may not be too bad, since initializing the engine is just one function call and getting the engine to do what we want is mainly giving the engine a set of rules. However, there are several issues I'm going to try to root out in the next few days 1) How does the engine actually receive rulesets 2) How does the engine process packets? I want to look at this more in detail. 3) How does other systems integrate the Snort engine - Great find Kwung-Kyung. I'm going to skip over the Snort parser, which is used to parse rules files, to focus more of my time on how to get the rulesets into the engine. For now I'm going to treat the engine as a black box and see how we can get the rules into the engine seemlessly. I think this step will allow us to actually get something tangible to work with. Afterwards, we can think about tweaking the engine itself for our purposes. ^_^ George >From: jeho-park <lin...@gm...> >To: MoonC <bo...@gm...> >CC: Net...@li... >Subject: Re: [Netadm-devel] Hi~ Netadm members~ .. some project for ips >tools >Date: Fri, 03 Mar 2006 04:35:38 +0900 > > >hi kwan-kyung > >i checked hlbr project and prelude-ids projects. > >in these three projects, prelude-ids seems to use snort as it's IDS engine. >is it right ? >if so, it is what i have looked for ~!. i want you to let me know how they >integrate with >snort ruleset and engine or how they access snort engine with their >interface frame. >i think this frame will be most important point in our researching. >if you find and understand their frame, i think you wll have to design and >implement that. > >in hlbr project, it is some awesome because they seem to add route code in >user layer. >as far as i know, routing code must be in the kernel layer as our pf.c >does. .. > > >i will do more check hlbr code and prelude-ids's. >it is not to develop by myself but to talk with you about designing how >this functionality will be integrated with current packet prevention >module-pf.ko- > >if you find more infomation about these three projects, please let me know. > >regards >jeho park > >MoonC wrote: > >>Hi everyone.. >> I'm find some ips tools and projects. This projects helps to us research >>ips engine. >> This IPS works Layer2, http://hlbr.sourceforge.net/index-en.html >> IPS test tool, Tipping Point open.. >>http://tomahawk.sourceforge.net/ >> >>hybrid open source IDS >>http://prelude-ids.org/ >> >> Thanks. > > > > >------------------------------------------------------- >This SF.Net email is sponsored by xPML, a groundbreaking scripting language >that extends applications into web and mobile media. Attend the live >webcast >and join the prime developer group breaking into this new coding territory! >http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642 >_______________________________________________ >Netadm-devel mailing list >Net...@li... >https://lists.sourceforge.net/lists/listinfo/netadm-devel _________________________________________________________________ Dont just search. Find. Check out the new MSN Search! http://search.msn.click-url.com/go/onm00200636ave/direct/01/ |
