[Snort-devel] snort leaders, I need guidance - help!

Todd Lewis tlewis at ...255...
Mon Apr 23 14:06:22 EDT 2001


It appears that the gratuitous uses of pcap have multiplied in the plygins.
Considering that I've really tried to keep the development community
appraised of my efforts with the paengines, this makes me unhappy.

I don't understand, e.g., what spp_tcp_stream.c is doing when it allocates
pcap header structures.  I mean, I know what they're doing, but I don't
really have any idea how to change it to work in a non-pcap-specific way.
Those decisions will have to result from a dialogue with the plugin
authors, but all we've got right now is the sound of one hand clapping.

These problems can be fixed, but they can't be fixed without the
involvement of the plugin authors.  The problem as I see it is a catch-22;
you can't integrate the paengines until the modules are changed,
but it looks like the modules won't be changed until the paengines
are integrated.  Empirically speaking, after four months of working
paengines, just having the paengine patch available is apparently not
enough to get these problems fixed.

Marty, I would like for the paengine stuff to be integrated into 1.8 and
any plugins that depend on pcap be broken until their authors fix them.
As you know by my constant annoying messages to the list, I have nothing
but time to work on this problem and happy to help the plugin authors
work through these problems.  The alternative, of just giving up on
paengines for 1.8, just means that we're going to have the exact same
problem the next time we try to integrate it.

Guidance?

(I hope to have the code paengine integration patch done later today.)

--
Todd Lewis
tlewis at ...255...





More information about the Snort-devel mailing list