[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Diverting packets like IPFW DIVERT
The new filter option in bpf (in current
allows frames to be passed to userland and dropped in the kernel if they
match a bpf filter. Could allow for some funky bsd licensed inline ids if
anyone is willing to write the code (snort ruleset -> bpf filter or full
on userland app with frame reinjection)... the few for seen problems would
be fragementation and performance / complexity of the bpf filter
it would sort of be like ngrep with the filter bpf command bolted on with
a ruleset back end
probably not what your after but i thought the new filter bpf command was
a nice addition ;)
On Fri, 02 Jul 2004 09:11:44 +1000, Damien Miller <[email protected]> wrote:
Marcelo de Souza wrote:
I'm planning to implement some kind of network IPS (a preemptive
and, after some days of research, I've discovered that there are
solutions for this.
The biggest example is using snort-inline in Linux (using iptables
FreeBSD (with ipfw divert - except that it doesn't work over bridges).
Actually I'd like to implement this thing over OpenBSD + pf, but as I
until now, there is no way to divert packets from kernel network hooks
You can rdr to an app listening on a localhost socket - see the examples
for ftp-proxy. If you want something more complicated, you could
route-to or dup-to a tun/tap interface and have your app listen on it.
I'm not sure how compatible this is with snort-inline.