[Snort-devel] need more guidance on paengine integration

Todd Lewis tlewis at ...255...
Thu Apr 26 14:55:36 EDT 2001


Still waiting on word for when the paengines should be integrated.  If
it needs to be ready by tomorrow, then I would like to hear about it
sooner rather than later.  As is, I am completely adrift on what we are
doing.  Now, some more questions:

1) What should I do with pds[] and datalinks[]?  Permission to discard these
and other pcap-specific cruft from snort.c?

2) Additionally, I am planning to tag each packet passed up from a paengine
with the data link type; this should allow a single engine (like pcap)
to support multiple interfaces with varying dlt's with ease.

3) Finally, I would like to see the pcap-specific command-line parameters
moved to a paengine-generic option-passing framework.  E.g., instead of:

	snort -F filter -i eth0

you would do:

	snort -E pcap -O "blf=filter" -O "interface=eth0"

or, if you prefer,

	snort -E pcap -Oblf=filter -Ointerface=eth0

or whatever.  This would allow, parallely, something like

	snort -E divert -O "divert_sock=100,110,115" -O "noreturn"

without having to add 15 top-level parameters per paengine type.  Instead,
each paengine would specify its arguments in its documentation, which we
easily could include in the '-? output.

Can I do this now?  If not, then can we agree to do this for v2?  Can we
also agree not to add any more pcap-specific command-line arguments as
part of our (hopefully fully-agreed-upon) effort to treat all packet
acquisition mechanisms equally?

--
Todd Lewis
tlewis at ...255...





More information about the Snort-devel mailing list