Snort IDS Extension

The job is: The open source IDS called Snort allows for lookups on Source/Destination IP addresses either by explicit definition (e.g [login to view URL]) or by variable name (e.g $PRIVATE_NET). We are seeking to extend snort to lookup an API to get match a condition. An example might be: "log tcp [login to view URL] -> myapi :6000" this would be log any traffic from the local network to any destination ips that are matched with TRUE in "myapi". myapi would take the destination IP address and return TRUE/FALSE. Because snort has large concerns with performance and latency we are happy to implement a local cach and have request sent down a netlink socket which can be checked later and added to the cache. In summary: A) have a rule that allows for calls to an "external lookup process" on the sourceIP/destinationIP B) investigation and prototype implementation only C) examine and create a snort extension rule. D) implement/extend in C or C++ to allow for a lookup query to an "external lookup process" - source_ip_address, desination_ip_address optional_parameter_string_list is passed - TRUE/FALSE is returned - should allow for a timeout to return FALSE - will probably have to deal with bufferring or non-blocking issues - based on the return TRUE/FALSE, snort rule will compare against the results and take action (log, alert etc) Notes: 1. The "external lookup process" can be simulated by having another process that takes the parameters and returning TRUE/FALSE after 100msec. 2. The snort rule must be useful for inbound or outbound filtering. ## Deliverables 1a) Deliverables: - source code for described code in snort rule (where required) - source code for the 'stub' simulating the 'external lookup process' (we can provide a netlink socket example as a starting point) - document problems/issues with delay or timing (e.g does it kill snort if the cache is too large and navigation becomes slow.) (e.g if the request to the 'external lookup process' used netlink socket are there any blocking issues or possibility of freeze/deadlock) - document briefly the installation method of the application filter into snort 1b) recommend the best method for fast syncronised multiprocess, re-entrant access to the "external lookup process" can be made. 1c) other recommendations 2) Complete and fully-functional working program(s) in executable form as well as complete source code of all work done. 3) Deliverables must be in ready-to-run condition, as follows (depending on the nature of the deliverables): a) For web sites or other server-side deliverables intended to only ever exist in one place in the Buyer's environment--Deliverables must be installed by the Seller in ready-to-run condition in the Buyer's environment. b) For all others including desktop software or software the buyer intends to distribute: A software installation package that will install the software in ready-to-run condition on the platform(s) specified in this bid request. 4) All deliverables will be considered "work made for hire" under U.S. Copyright law. Buyer will receive exclusive and complete copyrights to all work purchased. (No GPL, GNU, 3rd party components, etc. unless all copyright ramifications are explained AND AGREED TO by the buyer on the site per the coder's Seller Legal Agreement). ## Platform Fedora