Marcelo de Souza wrote: > Hello all, > > I'm planning to implement some kind of network IPS (a preemptive network IDS) > and, after some days of research, I've discovered that there are already good > solutions for this. > > The biggest example is using snort-inline in Linux (using iptables QUEUE) or > FreeBSD (with ipfw divert - except that it doesn't work over bridges). > > Actually I'd like to implement this thing over OpenBSD + pf, but as I found > until now, there is no way to divert packets from kernel network hooks to > userland.
You can rdr to an app listening on a localhost socket - see the examples for ftp-proxy. If you want something more complicated, you could route-to or dup-to a tun/tap interface and have your app listen on it. I'm not sure how compatible this is with snort-inline. -d
