[Snort-devel] reusing snort's engine

Florin Andrei florin at ...1187...
Mon Mar 11 21:41:06 EST 2002

I want to write an application that has to do pattern matching on a
stream of messages. 
The messages are plain-text lines, terminated in \n. They are sent via a
named pipe or something similar (the transport is not yet decided). 
Every message has a few more-or-less fixed labels, and a body of a
variable length. One or more messages can constitute and event (all
messages of an event are not necessarily successive, but other messages
might get mixed between). 

As you see, this is very much like Snort does for IP protocols (messages
= IP packets, labels = IP and TCP headers, events = sessions, etc.).
Which gave me an idea... 

Is it possible to re-use Snort's pattern matching engine to do a pattern
matching on something quite different from IP packets? 
I would love to use Snort for this, because it's quite fast, and i need
a lot of speed for my application. 

Well, it's just a crazy idea. Don't laugh on me too loud... :-) 

Florin Andrei

