In Linux Snort-Inline gets its packets from IPTables by libipq/ip_queue.
How would a port of snort_inline get its packets from pf to userland and
return it?
I know that in FreeBSD you could do it by Divert socket. But I don't
know of something like it in OpenBSD.
What would be the best way? tun,
SPADE
Spade stands for the Statistical Packet Anomaly Detection Engine.
It is a Snort preprocessor plugin which sends alerts of anomalous
packet through standard Snort reporting mechanisms.
http://www.silicondefense.com/software/spice/index.htm
there is a sort of IDS called "static". such IDS don't
catch anomalies actually, but watching flow's normality so
all other (than normal) traffic assumed to be anomalous.
check out SANS reading room...
