[Snort-inline-users] Patches for snort-inline+barnyard

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Hi Rob.

Attached please find patches to snort_inline-2.1.2 and barnyard-0.1.0 to 
allow them to work together in inline mode. The approach is this:

- A new magic number INLINE_MAGIC is defined which is used for unified 
logs in inline mode. (In tap/IDS mode, LOG_MAGIC is still used for 
unified logs. In both modes, ALERT_MAGIC is still used for unified alerts.)

- In inline mode, IP datagrams are passed through libipq, and it is 
therefore these which hit the unified logs.

- Barnyard is caused to use DecodeIP instead of DecodeEthPkt when it 
sees INLINE_MAGIC.

Credit for this goes to my colleague Jon Mann.

Enjoy.

- Raz