Thursday, September 09, 2004

Snort-Inline Developments

I noticed a post to the snort-inline mailing list last week that announced a "changing maintainer and future plans." Snort-inline is a project which allows a Snort sensor positioned inline (as opposed to sniffing passively offline) to accept packets from IPTables and then make pass/drop decisions. William Metcalf is taking over as lead developer from Rob McMillen, although Rob will remain with the project along with newcomer Victor Julien.

William claims "we have been very busy working on snort_inline and evaluating the snort_inline code that is being integrated into the snort-2.3 source branch. That's right, you heard it here first: snort-2.3 will have snort_inline functionality built into it. Rob, Victor and I will be maintaining and supporting it. We will still maintain snort_inline as a separate project and use it as vehicle for bleeding-edge functionality and honey net-specific features."

This is interesting because of comments Marty made at CanSecWest in April. He said Sourcefire was working on an inline capacity that would not use the existing Snort-inline code. I have not seen anything new appear at cvs.snort.org but I will keep looking.

I am interested in knowing if the inline features of Snort 2.3 will also be largely tied to Linux via IPTables. I asked about FreeBSD support in April, and there have been more recent discussions of support for OpenBSD. FreeBSD support is claimed but I believe it doesn't work on the 5.x tree. I also discussed the issue here last April, but I've never heard of anyone actually getting Snort-inline to work with any BSD system. For those who want to use Snort to inspect and drop traffic, support for BSD would allow running Snort on a very trustworthy platform like OpenBSD or take advantage of new traffic handling developments in FreeBSD.

No comments: