Hi folks, A member of slug suggested I ask this question here. Please excuse the instrusion (pardon pun)
We want a prototype for internal use that is probably going to be a snort pre-processor. I am wondering if there is anyone out there that has done something similar and knows snort. The job goes a little like this: The open source IDS called Snort allows for lookups on Source/Destination IP addresses either by explicit definition (e.g 192.168.0.0/24) or by variable name (e.g $PRIVATE_NET). We are seeking to extend snort to lookup an API to get match a condition. An example might be: "log tcp 192.168.0.0/24 -> myapi :6000" this would be log any traffic from the local network to any destination ips that are matched with TRUE in "myapi". myapi would take the destination IP address and return TRUE/FALSE. Because snort has large concerns with performance and latency we are happy to implement a local cach and have request sent down a netlink socket which can be checked later and added to the cache. Thanks David -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
