[Snort-devel] reusing snort's engine

Florin Andrei florin at ...1187...
Mon Mar 11 21:41:06 EST 2002


I want to write an application that has to do pattern matching on a
stream of messages. 
The messages are plain-text lines, terminated in \n. They are sent via a
named pipe or something similar (the transport is not yet decided). 
Every message has a few more-or-less fixed labels, and a body of a
variable length. One or more messages can constitute and event (all
messages of an event are not necessarily successive, but other messages
might get mixed between). 

As you see, this is very much like Snort does for IP protocols (messages
= IP packets, labels = IP and TCP headers, events = sessions, etc.).
Which gave me an idea... 

Is it possible to re-use Snort's pattern matching engine to do a pattern
matching on something quite different from IP packets? 
I would love to use Snort for this, because it's quite fast, and i need
a lot of speed for my application. 

Well, it's just a crazy idea. Don't laugh on me too loud... :-) 

-- 
Florin Andrei

Jack Valenti, president of the Motion Picture Association of America,
has reported that the year 2001 was the "greatest box office year in
film history" with movie admissions reaching their highest level since
1959. Isn't this the same industry that is complaining that piracy is
putting them out of business?





More information about the Snort-devel mailing list