[Snort-devel] [ekr at ...168...: Re: format string in ssl dump]

Fyodor fygrave at ...1...
Wed Dec 20 04:33:04 EST 2000


On Tue, Dec 19, 2000 at 05:34:16PM -0500, Todd Lewis wrote:
> On Tue, 19 Dec 2000, Martin Roesch wrote:
> 
> > Hi Tood, et al.
> > 
> > I think modularizing ssldump for easy inclusion into Snort and other projects
> > is probably the way to go.  I really see this as an application layer decoder,
> > which is something we hope to introduce into follow-on versions of Snort
> > (modular decoder plugin architecture).
> 
> Do you mean the next release, or some alternate version?

That's actually was my concern as well, I think we shouldn't hurry sticking up
ssldump in just 5 minutes before we release 1.7.x but rather include it into original
design of 2.x, right?

> > sounds pretty reasonable to me. :)
> 
> I want to make sure that I understand first.  What would the API for
> this look like?  Where would this plug in?
> 

As I mentioned, it might be a preprocessor plugin (a-la tcp stream f.e.), just could be on a higher level.
BTW, what about allowing preprocessor to specify it's level (either according to OSI model, or just priority),
this way we could sort out in which order plugins are processing data wiyhout taking care of the order, which
they are included in snort.conf file f.e.


-- 
http://www.notlsd.net
PGP fingerprint = 56DD 1511 DDDA 56D7 99C7  B288 5CE5 A713 0969 A4D1




More information about the Snort-devel mailing list