[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Diverting packets like IPFW DIVERT



The new filter option in bpf (in current http://archives.neohapsis.com/archives/openbsd/cvs/2004-06/0798.html) allows frames to be passed to userland and dropped in the kernel if they match a bpf filter. Could allow for some funky bsd licensed inline ids if anyone is willing to write the code (snort ruleset -> bpf filter or full on userland app with frame reinjection)... the few for seen problems would be fragementation and performance / complexity of the bpf filter

it would sort of be like ngrep with the filter bpf command bolted on with a ruleset back end

probably not what your after but i thought the new filter bpf command was a nice addition ;)

Cheers
Ste Jones
NetworkPenetration.com

On Fri, 02 Jul 2004 09:11:44 +1000, Damien Miller <[email protected]> wrote:

Marcelo de Souza wrote:
Hello all,

I'm planning to implement some kind of network IPS (a preemptive network IDS)
and, after some days of research, I've discovered that there are already good
solutions for this.


The biggest example is using snort-inline in Linux (using iptables QUEUE) or
FreeBSD (with ipfw divert - except that it doesn't work over bridges).


Actually I'd like to implement this thing over OpenBSD + pf, but as I found
until now, there is no way to divert packets from kernel network hooks to
userland.

You can rdr to an app listening on a localhost socket - see the examples for ftp-proxy. If you want something more complicated, you could route-to or dup-to a tun/tap interface and have your app listen on it.

I'm not sure how compatible this is with snort-inline.

-d




--