[Snort-devel] Where to do the stuff?

Joe McAlerney joey at ...63...
Wed Jan 24 12:59:44 EST 2001


Todd Lewis wrote:

> I've extended OptTreeNode to include a verdict:
> 
>     int verdict;         /* verdict */
> 
> void ParseVerdict(char *verdict)
> {
>     if(!(strcmp(verdict, "accept"))){
>         otn_tmp->verdict = PA_PACKET_VERDICT_ACCEPT;
>     } else if(!(strcmp(verdict, "drop"))){
>         otn_tmp->verdict = PA_PACKET_VERDICT_DROP;
>     } else if(!(strcmp(verdict, "reject"))){
>         otn_tmp->verdict = PA_PACKET_VERDICT_REJECT;
>     } else {
>         ErrorMessage( "ERROR %s (%d): bad alert message size %d\n",
> file_name, file_line, size);
>     }
> }

It seems that the plugin architecture could support all of this.  You
could use the otn's ds_list to hold the verdict, and parse just as you
did above in the plugin's parsing function.  This would eliminate adding
anything new to Snort's core files.  Of course, I may be missing some
key factor that prevents you from doing this.  

Take a look at the structure of the sp_reference plugin.  It's very
basic, and may help in the direction you are going.

-Joe M.

-- 
+--                            --+
| Joe McAlerney, Silicon Defense |
| http://www.silicondefense.com/ |
+--                            --+




More information about the Snort-devel mailing list