[Snort-devel] proposed change for preprocessor plugins

Martin Roesch roesch at ...48...
Wed Feb 14 11:05:50 EST 2001


This is a good idea and has been brought up to me at conferences a few
times over the past several months.  I think we should implement this
ASAP since it's really quite necessary for proper completion of Snort
traffic analysis at exit time.  Furthermore, this should be really
simple to implement, we can use the shutdown code from the output
plugins as an implementation template.

     -Marty

"Christopher E. Cramer" wrote:
> 
> Guys,
> 
> Sorry I haven't been around much, I started a new job last month and have
> been trying to get things settled down.
> 
> In getting ready to release a new TCP stream reassembly plugin, I started
> thinking about the shutdown mechanisms for snort.  The reassembler, the
> defrag preprocessor and several others are becoming more and more
> stateful, what would you say to the idea of registering not only an
> initialization routine, but also a shutdown routine?  My specific thoughts
> were that the next version of the tcp reassembler will have the option to
> truncate the original packets in order to 1) reduce the load and 2) to
> limit the number of unnecessary alerts.  The problem with this is that at
> some point, you terminate snort, and all the data that was in line to be
> reassembled never passes through the detection engine.
> 
> If we registered a termination routine that we called for each
> preprocessor upon shutting down, we could make the snort shutdown more
> graceful.  This should be fairly easy to implement, including the writing
> of dummy termination routines in each current preprocessor.
> 
> Thoughts?
> 
> -Chris
> 
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> http://lists.sourceforge.net/lists/listinfo/snort-devel

--
Martin Roesch
roesch at ...48...
http://www.snort.org




More information about the Snort-devel mailing list