What We Didn t Cover

What We Didn't Cover

Snort has preprocessors that can defragment IP datagrams before the rules engine sees them, decode HTTP protocol strings so the URI Escapes are undone before you check packets with the content option, do portscan detection, perform TCP stream reassembly, and even do statistical packet-anomaly detection. These are very useful and powerful features and you should learn them.

We didn't cover defining your own rule actions (for the C literate, this is a kind of "typedef" for Snort rules).

We didn't cover output modules. (Note to Debian users: As of this writing, the version of Snort available in Debian 2.2 doesn't have output module support.) Output modules allow you to specify a series of "postprocessors" (Snort calls them output plug-ins ) that will be handed packets that match a rule. Snort comes with a number of these predefined, and you may write your own if you wish (remember, it is your source code). This is another powerful capability, and some of the provided plug-ins, like Xml and Alert_unixsock can greatly expand the capabilities of Snort. This is another area you should explore on your own.

 



Multitool Linux. Practical Uses for Open Source Software
Multitool Linux: Practical Uses for Open Source Software
ISBN: 0201734206
EAN: 2147483647
Year: 2002
Pages: 257

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net