[Snort-devel] another spo question

Martin Roesch roesch at ...48...
Wed Dec 20 00:13:20 EST 2000


Joseph Nicholas Yarbrough wrote:
> 
> To use a custom output plugin I:
> *) write the spo files
> *) Then add the spo file to the list of files linked into snort in the
> Makefile.
> *) Then compile.
> 
> Now I (hopefully) have a snort linked with my output plugin.

Don't forget to add calls to the init function in the plugbase.c file and an
include for the header file for the plugin in plugbase.h.

> How do I tell snort to use my output plugin?

Set it as an output directive in your rules file.  For example, if the plugin
registers itself as "foo", you'd put a line like this in your rules file:

output foo: <args>

Where <args> is the set of arguments you pass to the plugin.

> Do I use the "-A" option?

Nope, that's for "built-in" alert modules, it's legacy functionality.

> If so, what is the argument I should pass?
> Is it the first (char *) argument I passed to RegisterOutputPlugin()?

Yes.


> Should the value I passed as arg 1 to RegisterOutputPlugin() be in the format
> "alert_[-a tag]"?

It doesn't have to be, but it's not a bad idea so users know where to expect
to see its output.

   -Marty


-- 
Martin Roesch
roesch at ...48...
http://www.snort.org




More information about the Snort-devel mailing list