[Snort-devel] Re: [Snort-users] spo_database oddity

Todd Lewis tlewis at ...255...
Mon May 7 16:33:44 EDT 2001


On Mon, 7 May 2001, Joe McAlerney wrote:

> The biggest challenge is converting all functions over to to this
> format.  We did it once a few months ago, so the patches are probably
> outdated.  I would be willing to do it again if this is something that
> the developers want to do.  Even if this is not exactly the desired
> structure, something that gives us this functionality should probably be
> implemented.
> 
> Thoughts?

I agree with the desire behind this proposal, but I strongly disagree
with the proposed solution.  I think that the present arrangement of
protocol knowledge in the core combined with ad-hoc preprocessors is a
complete mess.  I think that the way to solve these problems is to bite
the bullet and cleanly abstract protocol knowledge away from the core into
true modules that provide the appropriate services to output modules.
I think that trying to solve these problems with stuff like keying
on an enumeration of present preprocessor types, while a short-term
improvement over the status quo, simply adds more complexity to what is
already an overly complex system.  As such, I think that it is a step
in the wrong direction.

I think that rearranging snort to make these problems disappear should be
the main priority for snort 2.0.  I think that that is where the effort
can profitably be directed, and that trying to use bailing wire to make
the present system work more smoothly is not the most efficient application
of effort.

Still, although I disagree philosophically with your proposal, the
technical merits seem fine, and so if someone were to want to do it as
part of the 1.0 branch of snort, then I would have no standing to object.

--
Todd Lewis
tlewis at ...255...





More information about the Snort-devel mailing list