[Snort-devel] proposed change for preprocessor plugins

Christopher E. Cramer chris.cramer at ...219...
Wed Feb 14 10:55:50 EST 2001


Guys,

Sorry I haven't been around much, I started a new job last month and have
been trying to get things settled down. 

In getting ready to release a new TCP stream reassembly plugin, I started
thinking about the shutdown mechanisms for snort.  The reassembler, the
defrag preprocessor and several others are becoming more and more
stateful, what would you say to the idea of registering not only an
initialization routine, but also a shutdown routine?  My specific thoughts
were that the next version of the tcp reassembler will have the option to
truncate the original packets in order to 1) reduce the load and 2) to
limit the number of unnecessary alerts.  The problem with this is that at
some point, you terminate snort, and all the data that was in line to be
reassembled never passes through the detection engine.

If we registered a termination routine that we called for each
preprocessor upon shutting down, we could make the snort shutdown more
graceful.  This should be fairly easy to implement, including the writing
of dummy termination routines in each current preprocessor.

Thoughts?

-Chris






More information about the Snort-devel mailing list