Re: Diverting packets like IPFW DIVERT

[Ste Jones]

The new filter option in bpf (in current  
http://archives.neohapsis.com/archives/openbsd/cvs/2004-06/0798.html)  
allows frames to be passed to userland and dropped in the kernel if they  
match a bpf filter. Could allow for some funky bsd licensed inline ids if  
anyone is willing to write the code (snort ruleset -> bpf filter or full  
on userland app with frame reinjection)... the few for seen problems would  
be fragementation  and performance / complexity of the bpf filter

it would sort of be like ngrep with the filter bpf command bolted on with  
a ruleset back end

probably not what your after but i thought the new filter bpf command was  
a nice addition ;)

Cheers
Ste Jones
NetworkPenetration.com
On Fri, 02 Jul 2004 09:11:44 +1000, Damien Miller <[EMAIL PROTECTED]> wrote:
Marcelo de Souza wrote:
Hello all,
I'm planning to implement some kind of network IPS (a preemptive  
network IDS)
and, after some days of research, I've discovered that there are  
already good
solutions for this.

The biggest example is using snort-inline in Linux (using iptables  
QUEUE) or
FreeBSD (with ipfw divert - except that it doesn't work over bridges).

Actually I'd like to implement this thing over OpenBSD + pf, but as I  
found
until now, there is no way to divert packets from kernel network hooks  
to
userland.
You can rdr to an app listening on a localhost socket - see the examples
for ftp-proxy. If you want something more complicated, you could
route-to or dup-to a tun/tap interface and have your app listen on it.
I'm not sure how compatible this is with snort-inline.
-d

--