[Snort-devel] preprocessor identification

Chris Green cmg at ...81...
Thu Jan 11 23:50:01 EST 2001


Joe McAlerney <joey at ...63...> writes:

> Hello all,
> 
> I think it would be beneficial for output plugins to know the source of
> where they are receiving input from.
>
> This way, output plugins can
> tailor their format, route differently, or choose to ignore information
> provided from a given input source.  It's really a trivial thing to
> implement.  I suggest adding another argument to CallAlertFuncs() and
> CallLogFuncs() in plugbase.c to hold the name of the preprocessor
> calling the function.  We could simply use the function keyword
> ("defrag","http_decode","minfrag", etc...) and "rule" for the rule-based
> case.

> If this sounds good, I can make some patches tomorrow.  Otherwise, I'd
> like to hear your thoughts.
> 
> Thanks,

This type of functionality would be nice.  I was thinking how this
would be very beneficial to preprocessors that should only act on
packets that came from other preprocessors ( defrag or session
specificilly ).  This way one plugin can do reassembly and there can
be another plugin that knows it only will deal with reassembled
packets.

Atleast thats my understanding of the architecture at the moment.
Corrections are very welcome ;)
-- 
Chris Green <cmg at ...81...>
ACTIVATE GOAT SERVERS!




More information about the Snort-devel mailing list