[Snort-devel] preprocessor identification

Martin Roesch roesch at ...48...
Fri Jan 12 17:47:32 EST 2001


This sounds good to me, it makes a lot of sense.  Make it so. ;)

   -Marty

Chris Green wrote:
> 
> Joe McAlerney <joey at ...63...> writes:
> 
> > Hello all,
> >
> > I think it would be beneficial for output plugins to know the source of
> > where they are receiving input from.
> >
> > This way, output plugins can
> > tailor their format, route differently, or choose to ignore information
> > provided from a given input source.  It's really a trivial thing to
> > implement.  I suggest adding another argument to CallAlertFuncs() and
> > CallLogFuncs() in plugbase.c to hold the name of the preprocessor
> > calling the function.  We could simply use the function keyword
> > ("defrag","http_decode","minfrag", etc...) and "rule" for the rule-based
> > case.
> 
> > If this sounds good, I can make some patches tomorrow.  Otherwise, I'd
> > like to hear your thoughts.
> >
> > Thanks,
> 
> This type of functionality would be nice.  I was thinking how this
> would be very beneficial to preprocessors that should only act on
> packets that came from other preprocessors ( defrag or session
> specificilly ).  This way one plugin can do reassembly and there can
> be another plugin that knows it only will deal with reassembled
> packets.
> 
> Atleast thats my understanding of the architecture at the moment.
> Corrections are very welcome ;)
> --
> Chris Green <cmg at ...81...>
> ACTIVATE GOAT SERVERS!
> 
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> http://lists.sourceforge.net/lists/listinfo/snort-devel

--
Martin Roesch
roesch at ...48...
http://www.snort.org




More information about the Snort-devel mailing list