Thread: [Netadm-devel] Hi~ Netadm members~ .. some project for ips tools
Status: Beta
Brought to you by:
linuxpark
Menu
▾
▴
netadm-devel
|
From: MoonC <bo...@gm...> - 2006-03-02 13:41:42
|
Hi everyone.. I'm find some ips tools and projects. This projects helps to us research ip= s engine. This IPS works Layer2, http://hlbr.sourceforge.net/index-en.html IPS test tool, Tipping Point open.. http://tomahawk.sourceforge.net/ hybrid open source IDS http://prelude-ids.org/ Thanks. |
|
From: jeho-park <lin...@gm...> - 2006-03-02 19:37:22
|
hi kwan-kyung i checked hlbr project and prelude-ids projects. in these three projects, prelude-ids seems to use snort as it's IDS engine. is it right ? if so, it is what i have looked for ~!. i want you to let me know how they integrate with snort ruleset and engine or how they access snort engine with their interface frame. i think this frame will be most important point in our researching. if you find and understand their frame, i think you wll have to design and implement that. in hlbr project, it is some awesome because they seem to add route code in user layer. as far as i know, routing code must be in the kernel layer as our pf.c does. .. i will do more check hlbr code and prelude-ids's. it is not to develop by myself but to talk with you about designing how this functionality will be integrated with current packet prevention module-pf.ko- if you find more infomation about these three projects, please let me know. regards jeho park MoonC wrote: > Hi everyone.. > > I'm find some ips tools and projects. This projects helps to us > research ips engine. > > This IPS works Layer2, > http://hlbr.sourceforge.net/index-en.html > > IPS test tool, Tipping Point open.. > http://tomahawk.sourceforge.net/ > > hybrid open source IDS > http://prelude-ids.org/ > > > > Thanks. |
|
From: EP8KHA E. <ep...@ho...> - 2006-03-02 23:04:39
|
Hi netadm group, I've been looking over the code for snort. So far I've dissected the initialzation portion of snort. For those who wants to look over the code, this is a great guide to help understand how the code is laid out http://afrodita.unicauca.edu.co/~cbedon/snort/snort.html From what I've seen, all we're doing is initializing the engine and giving it rules to process the packets. Getting the engine to work along side with our program may not be too bad, since initializing the engine is just one function call and getting the engine to do what we want is mainly giving the engine a set of rules. However, there are several issues I'm going to try to root out in the next few days 1) How does the engine actually receive rulesets 2) How does the engine process packets? I want to look at this more in detail. 3) How does other systems integrate the Snort engine - Great find Kwung-Kyung. I'm going to skip over the Snort parser, which is used to parse rules files, to focus more of my time on how to get the rulesets into the engine. For now I'm going to treat the engine as a black box and see how we can get the rules into the engine seemlessly. I think this step will allow us to actually get something tangible to work with. Afterwards, we can think about tweaking the engine itself for our purposes. ^_^ George >From: jeho-park <lin...@gm...> >To: MoonC <bo...@gm...> >CC: Net...@li... >Subject: Re: [Netadm-devel] Hi~ Netadm members~ .. some project for ips >tools >Date: Fri, 03 Mar 2006 04:35:38 +0900 > > >hi kwan-kyung > >i checked hlbr project and prelude-ids projects. > >in these three projects, prelude-ids seems to use snort as it's IDS engine. >is it right ? >if so, it is what i have looked for ~!. i want you to let me know how they >integrate with >snort ruleset and engine or how they access snort engine with their >interface frame. >i think this frame will be most important point in our researching. >if you find and understand their frame, i think you wll have to design and >implement that. > >in hlbr project, it is some awesome because they seem to add route code in >user layer. >as far as i know, routing code must be in the kernel layer as our pf.c >does. .. > > >i will do more check hlbr code and prelude-ids's. >it is not to develop by myself but to talk with you about designing how >this functionality will be integrated with current packet prevention >module-pf.ko- > >if you find more infomation about these three projects, please let me know. > >regards >jeho park > >MoonC wrote: > >>Hi everyone.. >> I'm find some ips tools and projects. This projects helps to us research >>ips engine. >> This IPS works Layer2, http://hlbr.sourceforge.net/index-en.html >> IPS test tool, Tipping Point open.. >>http://tomahawk.sourceforge.net/ >> >>hybrid open source IDS >>http://prelude-ids.org/ >> >> Thanks. > > > > >------------------------------------------------------- >This SF.Net email is sponsored by xPML, a groundbreaking scripting language >that extends applications into web and mobile media. Attend the live >webcast >and join the prime developer group breaking into this new coding territory! >http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642 >_______________________________________________ >Netadm-devel mailing list >Net...@li... >https://lists.sourceforge.net/lists/listinfo/netadm-devel _________________________________________________________________ Dont just search. Find. Check out the new MSN Search! http://search.msn.click-url.com/go/onm00200636ave/direct/01/ |
|
From: park j. <par...@ho...> - 2006-03-03 01:04:16
|
hi george ~ i am satisfied with the way you goes on i think that as you continue to reading over the code of snort or others , you can draw a blueprint of interface which allow current gwc to access IDS engine and alarm to packet filter module in gwc i don't sure this interface will be some kind of daemon in our source tree or independent library funcions. i think the most easiest way which we can make IPS may be the way of inserting IPC code in snort or other IDS program. but it has no meaning for me or us to continue developing solution. and if so, there will be no know-how or enjoy with such way. so i hope you to propose a frame of library function and if it is needed, additional system which use these functions. i will contiue waiting your research. regard jeho park >From: "EP8KHA EP8KHA" <ep...@ho...> >To: Net...@li... >Subject: Re: [Netadm-devel] Hi~ Netadm members~ .. some project for ips >tools >Date: Thu, 02 Mar 2006 18:04:27 -0500 > >Hi netadm group, >I've been looking over the code for snort. So far I've dissected the >initialzation portion of snort. For those who wants to look over the code, >this is a great guide to help understand how the code is laid out >http://afrodita.unicauca.edu.co/~cbedon/snort/snort.html > >From what I've seen, all we're doing is initializing the engine and giving >it rules to process the packets. Getting the engine to work along side >with our program may not be too bad, since initializing the engine is just >one function call and getting the engine to do what we want is mainly >giving the engine a set of rules. However, there are several issues I'm >going to try to root out in the next few days 1) How does the engine >actually receive rulesets 2) How does the engine process packets? I want >to look at this more in detail. 3) How does other systems integrate the >Snort engine - Great find Kwung-Kyung. > >I'm going to skip over the Snort parser, which is used to parse rules >files, to focus more of my time on how to get the rulesets into the engine. > For now I'm going to treat the engine as a black box and see how we can >get the rules into the engine seemlessly. I think this step will allow us >to actually get something tangible to work with. Afterwards, we can think >about tweaking the engine itself for our purposes. ^_^ > >George > > >>From: jeho-park <lin...@gm...> >>To: MoonC <bo...@gm...> >>CC: Net...@li... >>Subject: Re: [Netadm-devel] Hi~ Netadm members~ .. some project for ips >>tools >>Date: Fri, 03 Mar 2006 04:35:38 +0900 >> >> >>hi kwan-kyung >> >>i checked hlbr project and prelude-ids projects. >> >>in these three projects, prelude-ids seems to use snort as it's IDS >>engine. is it right ? >>if so, it is what i have looked for ~!. i want you to let me know how they >> integrate with >>snort ruleset and engine or how they access snort engine with their >>interface frame. >>i think this frame will be most important point in our researching. >>if you find and understand their frame, i think you wll have to design and >>implement that. >> >>in hlbr project, it is some awesome because they seem to add route code in >>user layer. >>as far as i know, routing code must be in the kernel layer as our pf.c >>does. .. >> >> >>i will do more check hlbr code and prelude-ids's. >>it is not to develop by myself but to talk with you about designing how >>this functionality will be integrated with current packet prevention >>module-pf.ko- >> >>if you find more infomation about these three projects, please let me >>know. >> >>regards >>jeho park >> >>MoonC wrote: >> >>>Hi everyone.. >>> I'm find some ips tools and projects. This projects helps to us >>>research ips engine. >>> This IPS works Layer2, http://hlbr.sourceforge.net/index-en.html >>> IPS test tool, Tipping Point open.. >>>http://tomahawk.sourceforge.net/ >>> >>>hybrid open source IDS >>>http://prelude-ids.org/ >>> >>> Thanks. >> >> >> >> >>------------------------------------------------------- >>This SF.Net email is sponsored by xPML, a groundbreaking scripting >>language >>that extends applications into web and mobile media. Attend the live >>webcast >>and join the prime developer group breaking into this new coding >>territory! >>http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642 >>_______________________________________________ >>Netadm-devel mailing list >>Net...@li... >>https://lists.sourceforge.net/lists/listinfo/netadm-devel > >_________________________________________________________________ >Dont just search. Find. Check out the new MSN Search! >http://search.msn.click-url.com/go/onm00200636ave/direct/01/ > > > >------------------------------------------------------- >This SF.Net email is sponsored by xPML, a groundbreaking scripting language >that extends applications into web and mobile media. Attend the live >webcast >and join the prime developer group breaking into this new coding territory! >http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642 >_______________________________________________ >Netadm-devel mailing list >Net...@li... >https://lists.sourceforge.net/lists/listinfo/netadm-devel |
|
From: EP8KHA E. <ep...@ho...> - 2006-03-03 23:39:37
|
Jeho, Can you elaborate a bit more on this portion of your email: "i think the most easiest way which we can make IPS may be the way of inserting IPC code in snort or other IDS program. but it has no meaning for me or us to continue developing solution. and if so, there will be no know-how or enjoy with such way. " I'm interested to see where you are going with this. Thanks ^_^ George >From: "park jeho" <par...@ho...> >To: ep...@ho..., Net...@li... >Subject: Re: [Netadm-devel] Hi~ Netadm members~ .. some project for ips >tools >Date: Fri, 03 Mar 2006 10:04:06 +0900 > >hi george ~ > >i am satisfied with the way you goes on >i think that as you continue to reading over the code of snort or others , >you can draw a blueprint of interface which allow current gwc to access IDS >engine and alarm to packet filter module in gwc > >i don't sure this interface will be some kind of daemon in our source tree >or >independent library funcions. > >i think the most easiest way which we can make IPS may be the way of >inserting IPC code in snort or other IDS program. but it has no meaning for >me or us to >continue developing solution. and if so, there will be no know-how or enjoy >with such way. > >so i hope you to propose a frame of library function and if it is needed, >additional system which use these functions. > >i will contiue waiting your research. > >regard >jeho park >>From: "EP8KHA EP8KHA" <ep...@ho...> >>To: Net...@li... >>Subject: Re: [Netadm-devel] Hi~ Netadm members~ .. some project for ips >>tools >>Date: Thu, 02 Mar 2006 18:04:27 -0500 >> >>Hi netadm group, >>I've been looking over the code for snort. So far I've dissected the >>initialzation portion of snort. For those who wants to look over the >>code, this is a great guide to help understand how the code is laid out >>http://afrodita.unicauca.edu.co/~cbedon/snort/snort.html >> >>From what I've seen, all we're doing is initializing the engine and giving >>it rules to process the packets. Getting the engine to work along side >>with our program may not be too bad, since initializing the engine is just >>one function call and getting the engine to do what we want is mainly >>giving the engine a set of rules. However, there are several issues I'm >>going to try to root out in the next few days 1) How does the engine >>actually receive rulesets 2) How does the engine process packets? I want >>to look at this more in detail. 3) How does other systems integrate the >>Snort engine - Great find Kwung-Kyung. >> >>I'm going to skip over the Snort parser, which is used to parse rules >>files, to focus more of my time on how to get the rulesets into the >>engine. For now I'm going to treat the engine as a black box and see how >>we can get the rules into the engine seemlessly. I think this step will >>allow us to actually get something tangible to work with. Afterwards, we >>can think about tweaking the engine itself for our purposes. ^_^ >> >>George >> >> >>>From: jeho-park <lin...@gm...> >>>To: MoonC <bo...@gm...> >>>CC: Net...@li... >>>Subject: Re: [Netadm-devel] Hi~ Netadm members~ .. some project for ips >>>tools >>>Date: Fri, 03 Mar 2006 04:35:38 +0900 >>> >>> >>>hi kwan-kyung >>> >>>i checked hlbr project and prelude-ids projects. >>> >>>in these three projects, prelude-ids seems to use snort as it's IDS >>>engine. is it right ? >>>if so, it is what i have looked for ~!. i want you to let me know how >>>they integrate with >>>snort ruleset and engine or how they access snort engine with their >>>interface frame. >>>i think this frame will be most important point in our researching. >>>if you find and understand their frame, i think you wll have to design >>>and implement that. >>> >>>in hlbr project, it is some awesome because they seem to add route code >>>in user layer. >>>as far as i know, routing code must be in the kernel layer as our pf.c >>>does. .. >>> >>> >>>i will do more check hlbr code and prelude-ids's. >>>it is not to develop by myself but to talk with you about designing how >>>this functionality will be integrated with current packet prevention >>>module-pf.ko- >>> >>>if you find more infomation about these three projects, please let me >>>know. >>> >>>regards >>>jeho park >>> >>>MoonC wrote: >>> >>>>Hi everyone.. >>>> I'm find some ips tools and projects. This projects helps to us >>>>research ips engine. >>>> This IPS works Layer2, http://hlbr.sourceforge.net/index-en.html >>>> IPS test tool, Tipping Point open.. >>>>http://tomahawk.sourceforge.net/ >>>> >>>>hybrid open source IDS >>>>http://prelude-ids.org/ >>>> >>>> Thanks. >>> >>> >>> >>> >>>------------------------------------------------------- >>>This SF.Net email is sponsored by xPML, a groundbreaking scripting >>>language >>>that extends applications into web and mobile media. Attend the live >>>webcast >>>and join the prime developer group breaking into this new coding >>>territory! >>>http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642 >>>_______________________________________________ >>>Netadm-devel mailing list >>>Net...@li... >>>https://lists.sourceforge.net/lists/listinfo/netadm-devel >> >>_________________________________________________________________ >>Dont just search. Find. Check out the new MSN Search! >>http://search.msn.click-url.com/go/onm00200636ave/direct/01/ >> >> >> >>------------------------------------------------------- >>This SF.Net email is sponsored by xPML, a groundbreaking scripting >>language >>that extends applications into web and mobile media. Attend the live >>webcast >>and join the prime developer group breaking into this new coding >>territory! >>http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642 >>_______________________________________________ >>Netadm-devel mailing list >>Net...@li... >>https://lists.sourceforge.net/lists/listinfo/netadm-devel > > _________________________________________________________________ Express yourself instantly with MSN Messenger! Download today - it's FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/ |
|
From: jeho-park <lin...@gm...> - 2006-03-04 02:04:54
|
hi george
EP8KHA EP8KHA wrote:
> Jeho,
> Can you elaborate a bit more on this portion of your email:
>
> "i think the most easiest way which we can make IPS may be the way of
> inserting IPC code in snort or other IDS program. but it has no
> meaning for me or us to
> continue developing solution. and if so, there will be no know-how or
> enjoy with such way. "
>
> I'm interested to see where you are going with this. Thanks ^_^
>
> George
>
the meaning of what i said is that
whenever i have no enough time to develop something in this case,
especially IDS engine, but some other open project already developed it,
i used to insert socket or ipc code into the part of above project code
where there are some infomation which i want.
for example, in the case of snort, if i do with samy way above.
i will insert my code to the point where snort send mail or syslog to
administrator
i know .. it looks like backdoor -_-;
the figure below illustrate this.
+---------------------------+ <- i will consider this as black box
| snort |
| (attacker found !) | sys_msg (defcon4| src IP, port)
| | | +--------> gwcadmd --------------------------------> pf.ko, block
host!
| \|/ | | (block 1.1.1.1. TCP/20) | alarm to admin ---+ | |
| /|\ | | |
| +-------------+ | | | my format { { msg type = snort | alarm } +
{priority= defcon4} +
| | my code |-----+-----+-------+ { attacker info = tcp + ip(1.1.1.1) +
port(20) } + ....}
| | | | | socket or ipc
| +-------------+ | |
+---------------------|-----+
|
| syslog or mail ..by snort.. but i don't have interest :-)
+-----------------------------------> ?
when snort find some attacker, output module will be activated.
and then snort will alarm with some kind of message.
at this point, my code also knon what happened and more infomation about
what's going on.
as a result, my code will send message to gwcadmd daemon with some
infomation which was gotten from snort.
the important thing is that if i decided to do the way above, i shoud
have done it already.
the only thing we are needed is to make a patch which inserts our
backdoor code to the snort.
the example code of mine is here
it looks like backdoor .. this patch make each program send message to
me (main.c)
http://jhpark.guideline.co.kr/freeradius-1.0.2-wibro-0.1.patch
http://jhpark.guideline.co.kr/Xsupplicant-1.2pre1-wibro-npt-0.1.patch
http://jhpark.guideline.co.kr/dhcp-3.0.3-wibro-0.1.patch
the code below is the receiver of message above
http://jhpark.guideline.co.kr/main.c ( look at the select system call )
but this way is my last black jack.. now i hope you to research more
about snort ..
and then i want you to design a IDS functionality in our gwc.
regards
jeho-park
>> From: "park jeho" <par...@ho...>
>> To: ep...@ho..., Net...@li...
>> Subject: Re: [Netadm-devel] Hi~ Netadm members~ .. some project for
>> ips tools
>> Date: Fri, 03 Mar 2006 10:04:06 +0900
>>
>> hi george ~
>>
>> i am satisfied with the way you goes on
>> i think that as you continue to reading over the code of snort or
>> others , you can draw a blueprint of interface which allow current
>> gwc to access IDS engine and alarm to packet filter module in gwc
>>
>> i don't sure this interface will be some kind of daemon in our source
>> tree or
>> independent library funcions.
>>
>> i think the most easiest way which we can make IPS may be the way of
>> inserting IPC code in snort or other IDS program. but it has no
>> meaning for me or us to
>> continue developing solution. and if so, there will be no know-how or
>> enjoy with such way.
>>
>> so i hope you to propose a frame of library function and if it is
>> needed, additional system which use these functions.
>>
>> i will contiue waiting your research.
>>
>> regard
>> jeho park
>>
>>> From: "EP8KHA EP8KHA" <ep...@ho...>
>>> To: Net...@li...
>>> Subject: Re: [Netadm-devel] Hi~ Netadm members~ .. some project for
>>> ips tools
>>> Date: Thu, 02 Mar 2006 18:04:27 -0500
>>>
>>> Hi netadm group,
>>> I've been looking over the code for snort. So far I've dissected the
>>> initialzation portion of snort. For those who wants to look over the
>>> code, this is a great guide to help understand how the code is laid
>>> out http://afrodita.unicauca.edu.co/~cbedon/snort/snort.html
>>>
>>> From what I've seen, all we're doing is initializing the engine and
>>> giving it rules to process the packets. Getting the engine to work
>>> along side with our program may not be too bad, since initializing
>>> the engine is just one function call and getting the engine to do
>>> what we want is mainly giving the engine a set of rules. However,
>>> there are several issues I'm going to try to root out in the next
>>> few days 1) How does the engine actually receive rulesets 2) How
>>> does the engine process packets? I want to look at this more in
>>> detail. 3) How does other systems integrate the Snort engine - Great
>>> find Kwung-Kyung.
>>>
>>> I'm going to skip over the Snort parser, which is used to parse
>>> rules files, to focus more of my time on how to get the rulesets
>>> into the engine. For now I'm going to treat the engine as a black
>>> box and see how we can get the rules into the engine seemlessly. I
>>> think this step will allow us to actually get something tangible to
>>> work with. Afterwards, we can think about tweaking the engine itself
>>> for our purposes. ^_^
>>>
>>> George
>>>
>>>
>>>> From: jeho-park <lin...@gm...>
>>>> To: MoonC <bo...@gm...>
>>>> CC: Net...@li...
>>>> Subject: Re: [Netadm-devel] Hi~ Netadm members~ .. some project for
>>>> ips tools
>>>> Date: Fri, 03 Mar 2006 04:35:38 +0900
>>>>
>>>>
>>>> hi kwan-kyung
>>>>
>>>> i checked hlbr project and prelude-ids projects.
>>>>
>>>> in these three projects, prelude-ids seems to use snort as it's IDS
>>>> engine. is it right ?
>>>> if so, it is what i have looked for ~!. i want you to let me know
>>>> how they integrate with
>>>> snort ruleset and engine or how they access snort engine with their
>>>> interface frame.
>>>> i think this frame will be most important point in our researching.
>>>> if you find and understand their frame, i think you wll have to
>>>> design and implement that.
>>>>
>>>> in hlbr project, it is some awesome because they seem to add route
>>>> code in user layer.
>>>> as far as i know, routing code must be in the kernel layer as our
>>>> pf.c does. ..
>>>>
>>>>
>>>> i will do more check hlbr code and prelude-ids's.
>>>> it is not to develop by myself but to talk with you about designing
>>>> how this functionality will be integrated with current packet
>>>> prevention module-pf.ko-
>>>>
>>>> if you find more infomation about these three projects, please let
>>>> me know.
>>>>
>>>> regards
>>>> jeho park
>>>>
>>>> MoonC wrote:
>>>>
>>>>> Hi everyone..
>>>>> I'm find some ips tools and projects. This projects helps to us
>>>>> research ips engine.
>>>>> This IPS works Layer2, http://hlbr.sourceforge.net/index-en.html
>>>>> IPS test tool, Tipping Point open..
>>>>> http://tomahawk.sourceforge.net/
>>>>>
>>>>> hybrid open source IDS
>>>>> http://prelude-ids.org/
>>>>>
>>>>> Thanks.
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> -------------------------------------------------------
>>>> This SF.Net email is sponsored by xPML, a groundbreaking scripting
>>>> language
>>>> that extends applications into web and mobile media. Attend the
>>>> live webcast
>>>> and join the prime developer group breaking into this new coding
>>>> territory!
>>>> http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
>>>>
>>>> _______________________________________________
>>>> Netadm-devel mailing list
>>>> Net...@li...
>>>> https://lists.sourceforge.net/lists/listinfo/netadm-devel
>>>
>>>
>>> _________________________________________________________________
>>> Don’t just search. Find. Check out the new MSN Search!
>>> http://search.msn.click-url.com/go/onm00200636ave/direct/01/
>>>
>>>
>>>
>>> -------------------------------------------------------
>>> This SF.Net email is sponsored by xPML, a groundbreaking scripting
>>> language
>>> that extends applications into web and mobile media. Attend the live
>>> webcast
>>> and join the prime developer group breaking into this new coding
>>> territory!
>>> http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
>>>
>>> _______________________________________________
>>> Netadm-devel mailing list
>>> Net...@li...
>>> https://lists.sourceforge.net/lists/listinfo/netadm-devel
>>
>>
>>
>
> _________________________________________________________________
> Express yourself instantly with MSN Messenger! Download today - it's
> FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/
>
>
>
> -------------------------------------------------------
> This SF.Net email is sponsored by xPML, a groundbreaking scripting
> language
> that extends applications into web and mobile media. Attend the live
> webcast
> and join the prime developer group breaking into this new coding
> territory!
> http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
> _______________________________________________
> Netadm-devel mailing list
> Net...@li...
> https://lists.sourceforge.net/lists/listinfo/netadm-devel
>
|
|
From: jeho-park <lin...@gm...> - 2006-03-04 02:27:08
|
george i am sorry i found my figure which i drew in previos mail was broken. here is new http://jhpark.guideline.co.kr/data/PROJECT/netadm/reference/figure.html thanks jeho park EP8KHA EP8KHA wrote: > Jeho, > Can you elaborate a bit more on this portion of your email: > > "i think the most easiest way which we can make IPS may be the way of > inserting IPC code in snort or other IDS program. but it has no > meaning for me or us to > continue developing solution. and if so, there will be no know-how or > enjoy with such way. " > > I'm interested to see where you are going with this. Thanks ^_^ > > George > >> From: "park jeho" <par...@ho...> >> To: ep...@ho..., Net...@li... >> Subject: Re: [Netadm-devel] Hi~ Netadm members~ .. some project for >> ips tools >> Date: Fri, 03 Mar 2006 10:04:06 +0900 >> >> hi george ~ >> >> i am satisfied with the way you goes on >> i think that as you continue to reading over the code of snort or >> others , you can draw a blueprint of interface which allow current >> gwc to access IDS engine and alarm to packet filter module in gwc >> >> i don't sure this interface will be some kind of daemon in our source >> tree or >> independent library funcions. >> >> i think the most easiest way which we can make IPS may be the way of >> inserting IPC code in snort or other IDS program. but it has no >> meaning for me or us to >> continue developing solution. and if so, there will be no know-how or >> enjoy with such way. >> >> so i hope you to propose a frame of library function and if it is >> needed, additional system which use these functions. >> >> i will contiue waiting your research. >> >> regard >> jeho park >> >>> From: "EP8KHA EP8KHA" <ep...@ho...> >>> To: Net...@li... >>> Subject: Re: [Netadm-devel] Hi~ Netadm members~ .. some project for >>> ips tools >>> Date: Thu, 02 Mar 2006 18:04:27 -0500 >>> >>> Hi netadm group, >>> I've been looking over the code for snort. So far I've dissected the >>> initialzation portion of snort. For those who wants to look over the >>> code, this is a great guide to help understand how the code is laid >>> out http://afrodita.unicauca.edu.co/~cbedon/snort/snort.html >>> >>> From what I've seen, all we're doing is initializing the engine and >>> giving it rules to process the packets. Getting the engine to work >>> along side with our program may not be too bad, since initializing >>> the engine is just one function call and getting the engine to do >>> what we want is mainly giving the engine a set of rules. However, >>> there are several issues I'm going to try to root out in the next >>> few days 1) How does the engine actually receive rulesets 2) How >>> does the engine process packets? I want to look at this more in >>> detail. 3) How does other systems integrate the Snort engine - Great >>> find Kwung-Kyung. >>> >>> I'm going to skip over the Snort parser, which is used to parse >>> rules files, to focus more of my time on how to get the rulesets >>> into the engine. For now I'm going to treat the engine as a black >>> box and see how we can get the rules into the engine seemlessly. I >>> think this step will allow us to actually get something tangible to >>> work with. Afterwards, we can think about tweaking the engine itself >>> for our purposes. ^_^ >>> >>> George >>> >>> >>>> From: jeho-park <lin...@gm...> >>>> To: MoonC <bo...@gm...> >>>> CC: Net...@li... >>>> Subject: Re: [Netadm-devel] Hi~ Netadm members~ .. some project for >>>> ips tools >>>> Date: Fri, 03 Mar 2006 04:35:38 +0900 >>>> >>>> >>>> hi kwan-kyung >>>> >>>> i checked hlbr project and prelude-ids projects. >>>> >>>> in these three projects, prelude-ids seems to use snort as it's IDS >>>> engine. is it right ? >>>> if so, it is what i have looked for ~!. i want you to let me know >>>> how they integrate with >>>> snort ruleset and engine or how they access snort engine with their >>>> interface frame. >>>> i think this frame will be most important point in our researching. >>>> if you find and understand their frame, i think you wll have to >>>> design and implement that. >>>> >>>> in hlbr project, it is some awesome because they seem to add route >>>> code in user layer. >>>> as far as i know, routing code must be in the kernel layer as our >>>> pf.c does. .. >>>> >>>> >>>> i will do more check hlbr code and prelude-ids's. >>>> it is not to develop by myself but to talk with you about designing >>>> how this functionality will be integrated with current packet >>>> prevention module-pf.ko- >>>> >>>> if you find more infomation about these three projects, please let >>>> me know. >>>> >>>> regards >>>> jeho park >>>> >>>> MoonC wrote: >>>> >>>>> Hi everyone.. >>>>> I'm find some ips tools and projects. This projects helps to us >>>>> research ips engine. >>>>> This IPS works Layer2, http://hlbr.sourceforge.net/index-en.html >>>>> IPS test tool, Tipping Point open.. >>>>> http://tomahawk.sourceforge.net/ >>>>> >>>>> hybrid open source IDS >>>>> http://prelude-ids.org/ >>>>> >>>>> Thanks. >>>> >>>> >>>> >>>> >>>> >>>> ------------------------------------------------------- >>>> This SF.Net email is sponsored by xPML, a groundbreaking scripting >>>> language >>>> that extends applications into web and mobile media. Attend the >>>> live webcast >>>> and join the prime developer group breaking into this new coding >>>> territory! >>>> http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642 >>>> >>>> _______________________________________________ >>>> Netadm-devel mailing list >>>> Net...@li... >>>> https://lists.sourceforge.net/lists/listinfo/netadm-devel >>> >>> >>> _________________________________________________________________ >>> Don’t just search. Find. Check out the new MSN Search! >>> http://search.msn.click-url.com/go/onm00200636ave/direct/01/ >>> >>> >>> >>> ------------------------------------------------------- >>> This SF.Net email is sponsored by xPML, a groundbreaking scripting >>> language >>> that extends applications into web and mobile media. Attend the live >>> webcast >>> and join the prime developer group breaking into this new coding >>> territory! >>> http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642 >>> >>> _______________________________________________ >>> Netadm-devel mailing list >>> Net...@li... >>> https://lists.sourceforge.net/lists/listinfo/netadm-devel >> >> >> > > _________________________________________________________________ > Express yourself instantly with MSN Messenger! Download today - it's > FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/ > > > > ------------------------------------------------------- > This SF.Net email is sponsored by xPML, a groundbreaking scripting > language > that extends applications into web and mobile media. Attend the live > webcast > and join the prime developer group breaking into this new coding > territory! > http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642 > _______________________________________________ > Netadm-devel mailing list > Net...@li... > https://lists.sourceforge.net/lists/listinfo/netadm-devel > |
|
From: EP8KHA E. <ep...@ho...> - 2006-03-05 22:40:12
|
Hi, If anyone wants to take a look at how the snort engine goes about it's business in processing packets, without looking at the initializations, you can do a search for this function in snort.c: pcap_loop(pd, pv.pkt_cnt, (pcap_handler) PcapProcessPacket, NULL) Thereafter, you can follow through the PcapProcessPacket to find out how the packets are manipulated. Cheers ^_^ EP8KHA _________________________________________________________________ Dont just search. Find. Check out the new MSN Search! http://search.msn.click-url.com/go/onm00200636ave/direct/01/ |
|
From: park j. <par...@ho...> - 2006-03-06 02:07:15
|
thanks george it seems like PcapProcessPacket is a enterance of IDS engine. regards jeho park >From: "EP8KHA EP8KHA" <ep...@ho...> >To: Net...@li... >Subject: Re: [Netadm-devel] Hi~ Netadm members~ .. some project for ips >tools >Date: Sun, 05 Mar 2006 17:37:54 -0500 > >Hi, >If anyone wants to take a look at how the snort engine goes about it's >business in processing packets, without looking at the initializations, you >can do a search for this function in snort.c: > >pcap_loop(pd, pv.pkt_cnt, (pcap_handler) PcapProcessPacket, NULL) > >Thereafter, you can follow through the PcapProcessPacket to find out how >the packets are manipulated. Cheers ^_^ > >EP8KHA > >_________________________________________________________________ >Dont just search. Find. Check out the new MSN Search! >http://search.msn.click-url.com/go/onm00200636ave/direct/01/ > > > >------------------------------------------------------- >This SF.Net email is sponsored by xPML, a groundbreaking scripting language >that extends applications into web and mobile media. Attend the live >webcast >and join the prime developer group breaking into this new coding territory! >http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642 >_______________________________________________ >Netadm-devel mailing list >Net...@li... >https://lists.sourceforge.net/lists/listinfo/netadm-devel |
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X