[Snort-devel] O Snort development gurus!

Smith, Donald Donald.Smith at ...530...
Tue Oct 1 22:16:44 EDT 2002


In line comments.

> -----Original Message-----
> From: Justin Lundy [mailto:jbl at ...314...]
> Sent: Tuesday, October 01, 2002 10:24 PM
> To: snort-devel at lists.sourceforge.net
> Cc: Yas
> Subject: Re: [Snort-devel] O Snort development gurus!
> 
> 
> It would not take two months, but new features I would like
> to see in Snort would include the ability to load/unload rules
> without having to SIGHUP the Snort process. Also, a system
Did you know that snort reads the rules and "compiles" them into a
set of matching rules. Having snort do that every time it gets a packet
will not work. It can not reread the snort.conf -> rules files 
every time and compile them.
> similar to Symantec LiveUpdate where Snort would check for
> updated rulesets and reload them on the fly. I realize that
what do your mean by on the fly? every second, minute, hour, or instance?
What about rules I write? 
I would want to keep them. Not a feature on most other ids systems.

> this same functionality can be duplicated with perl scripts
> (works fine). It would just be nice to have it integrated.
so if you had a "background" process the recompiled the rules
and replaced them in 10, 100, 1000, 10000, seconds would that make your
rule update "real-time" enough?
 
How often during running does Symantec liveupdate occur?

> 
> --jbl
> 
> On Sun, Sep 29, 2002 at 07:12:54PM -0700, Yas wrote:
> > Hello,
> > 
> > Heh! Here is an over simplistic awkward question. I am
> > under a situation where I need to ask: what would be a
> > snort programming problem that will be enough for a
> > master's project and doable in two months for an above
> > average but not top notch C programmer.
> > 
> > I was thinking about doing the "AND" as a rule type;
> > but that requires changing the parsing the rules for
> > rtn and then for parsing the packets. I got lost
> > somewhere in there. (played around with snort-1.8.3
> > code for that).
> > have already looked into freshmeat.net to get an idea,
> > couldnt.
> > 
> > - Lost in Snort
> > 
> > __________________________________________________
> > Do you Yahoo!?
> > New DSL Internet Access from SBC & Yahoo!
> > http://sbc.yahoo.com
> > 
> > 
> > -------------------------------------------------------
> > This sf.net email is sponsored by:ThinkGeek
> > Welcome to geek heaven.
> > http://thinkgeek.com/sf
> > _______________________________________________
> > Snort-devel mailing list
> > Snort-devel at lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/snort-devel
> 
> -- 
> --jbl [subterrain / techitch]
> --email : jbl at ...314...
> 
> 
> -------------------------------------------------------
> This sf.net email is sponsored by: DEDICATED SERVERS only $89!
> Linux or FreeBSD, FREE setup, FAST network. Get your own server 
> today at http://www.ServePath.com/indexfm.htm
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
> 




More information about the Snort-devel mailing list