[Snort-devel] Where to do the stuff?

Todd Lewis tlewis at ...120...
Wed Jan 24 11:39:19 EST 2001


Ok, I want to use the following syntax:

  alert icmp any any -> any any (msg:"Misc. ICMP traffic";verdict:"discard";);

The verdict will be one of "accept", "drop", or "reject", which
will map to PA_PACKET_VERDICT_ACCEPT, PA_PACKET_VERDICT_DROP,
PA_PACKET_VERDICT_REJECT.  If no verdict is specified, then the rule
will be set to PA_PACKET_VERDICT_NO_ACTION.

I've extended OptTreeNode to include a verdict:

    int verdict;         /* verdict */

added into ParseRuleOptions():

            else if (!strcasecmp(opts[0], "verdict"))
            {
                ParseVerdict(opts[1]);
            }

and added this new function:

void ParseVerdict(char *verdict)
{
    if(!(strcmp(verdict, "accept"))){
        otn_tmp->verdict = PA_PACKET_VERDICT_ACCEPT;
    } else if(!(strcmp(verdict, "drop"))){
        otn_tmp->verdict = PA_PACKET_VERDICT_DROP;
    } else if(!(strcmp(verdict, "reject"))){
        otn_tmp->verdict = PA_PACKET_VERDICT_REJECT;
    } else {
        ErrorMessage( "ERROR %s (%d): bad alert message size %d\n",
file_name, file_line, size);
    }
}

The only thing left to do is really easy.  When a packet matches a
rule, I need to do this:

	if(otn->verdict!=PA_PACKET_VERDICT_NO_ACTION)
		P->verdict=otn->verdict;

My question is, where do I do this?  rules.c:Detect()?
rules.c:EvalHeader()?  rules.c:EvalOpts()?  I don't really understand
what is going on in this part of snort; laziness being a virtue, I would
appreciate if someone could give me a little guidance.

--
Todd Lewis                                       tlewis at ...120...

  God grant me the courage not to give up what I think is right, even
  though I think it is hopeless.          - Admiral Chester W. Nimitz





More information about the Snort-devel mailing list