Re: Real Traffic (was Re: BlackICE IDS)

[roesch () clark net (The Roesch's)]

FYI, the upcoming version 1.5 of Snort is implementing a "plugin" concept on the
preprocessing and detection engine that adds great flexibility to the program. 
Essentially, you can write (in C) and drop in plugin modules that are either
detection modules (applied on an "as called" basis by the rules engine) or
preprocessors (run after decode but before detection, called once per packet). 
Detection plugins are where you do things like check the TCP flags for specific
settings, preprocessors are where you do IP defragmentation.  

Coming to The Point now, the first preprocessor written was (drum roll please)
http_decode, which completely defeats Whisker.pl by normalizing http requests to
straight ASCII.  Future plugins will fill in many of the gaps that exist in
Snort currently (defrag, stream reassy, port scan detection, etc).  This will
obviously slow down the performance of the program, but the nice thing about
plugins is that you can tune them at the user level from the rules file that is
loaded into Snort.

If you're interested, you can check out the latest 1.5 beta from CVS via my web
page or directly from http://www.clark.net/~roesch/snort-1.5-beta7.2.tar.gz.

--
Martin & Anna Roesch
roesch () clark net
http://www.clark.net/~roesch