[Snort-devel] need more guidance on paengine integration

Martin Roesch roesch at ...48...
Fri Apr 27 00:42:34 EDT 2001

I've been giving some thought to this issue over the past couple days
when I've had the time and I think that we should postpone the
integration of the pa_engine code until after 1.8-release.  I want to
get the code released and I'm *still* behind on getting the system out
the door.  If you really wanted to help us out and get on to the 2.0
development phase (we can also do a separate pa_engine integration task
in the 1.8+ codebase and do a quick release of that once it's complete
and tested).

There are a number of things that need to be accomplished for 1.8
release.  We need to QA and bugfix the current code set in CVS, fix the
known bugs (memory leak in stream2, msg parser f*ck-up, etc), update the
documentation and generally help to make sure we have a solid release. 
You can be most valuable to everyone right now by helping to get that
together, it'll greatly reduce your frustration in the constant delays
in the 1.8 code and help me and everyone else out at the same time. 


Todd Lewis wrote:
> Still waiting on word for when the paengines should be integrated.  If
> it needs to be ready by tomorrow, then I would like to hear about it
> sooner rather than later.  As is, I am completely adrift on what we are
> doing.  Now, some more questions:
> 1) What should I do with pds[] and datalinks[]?  Permission to discard these
> and other pcap-specific cruft from snort.c?
> 2) Additionally, I am planning to tag each packet passed up from a paengine
> with the data link type; this should allow a single engine (like pcap)
> to support multiple interfaces with varying dlt's with ease.
> 3) Finally, I would like to see the pcap-specific command-line parameters
> moved to a paengine-generic option-passing framework.  E.g., instead of:
>         snort -F filter -i eth0
> you would do:
>         snort -E pcap -O "blf=filter" -O "interface=eth0"
> or, if you prefer,
>         snort -E pcap -Oblf=filter -Ointerface=eth0
> or whatever.  This would allow, parallely, something like
>         snort -E divert -O "divert_sock=100,110,115" -O "noreturn"
> without having to add 15 top-level parameters per paengine type.  Instead,
> each paengine would specify its arguments in its documentation, which we
> easily could include in the '-? output.
> Can I do this now?  If not, then can we agree to do this for v2?  Can we
> also agree not to add any more pcap-specific command-line arguments as
> part of our (hopefully fully-agreed-upon) effort to treat all packet
> acquisition mechanisms equally?
> --
> Todd Lewis
> tlewis at ...255...
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> http://lists.sourceforge.net/lists/listinfo/snort-devel

Martin Roesch
roesch at ...48...

More information about the Snort-devel mailing list