From mboxrd@z Thu Jan  1 00:00:00 1970
From: "Sumit Pandya" <sumit@elitecore.com>
Date: Tue, 12 Mar 2002 13:46:46 +0000
Subject: [LARTC] RE: is packet duplicating possible for ids?
Message-Id: <marc-lartc-101593990413055@msgid-missing>
List-Id: <lartc.vger.kernel.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
To: lartc@vger.kernel.org

Hi,
From: "Hans-Cees Speel" <hanscees@myrealbox.com>
To: lartc@mailman.ds9a.nl; Tue, 12 Mar 2002 11:19:40 +0100
Reply-To: hanscees@hanscees.com

> I have a situation where I would like to use tc or any tool to send
> all incoming (and perhaps outgoing) traffic not only to itsd
> destination but also past a ids snort box.
	Insteed of TC your solution could be found by writing Netfilter hack. You
will need to write your own target for that say ipt_COPYSEND.

> hope you can help me
	Ya, there is a help from Rusty... a short but nice way on the link
http://lists.samba.org/pipermail/netfilter/2000-May/004053.html. Take
baseline from ipt_REJECT and ipt_MIRROR target in netfilter part of kernel
source.
	If you running snifer on your firewall machine only then Insteed of writing
a new target I'll suggest/prefer you to go for target ipt_QUEUE, write your
user handler program which will pass all intended packets to sniffer and
return CONTINUE/ACCEPT from your handler.
-- Sumit

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/