[Snort-devel] Re: Patch: exec option for starting programs triggered by rules

Chris Green cmg at ...402...
Thu Jun 26 06:01:32 EDT 2003

Stefan Schlott <stefan.schlott at ...2052...> writes:

> Hi all,
> I had the need to run a program when snort matched a specific signature (I
> wanted to find out more about the attacker's host, e.g. by running nmap).
> I didn't find a function in snort, so I wrote a new detection plugin 
> (analogous to react and respond). It uses a comma-separated list of
> option=value touples as syntax. I implemented the following options:

I don't think this will ever be an official part of snort but it's a
useful thing to include in a contrib set since allowing people to
fork() at runtime is a pretty expensive operation.  If you would like
to write up a README and patching instructions, we can put it on

> +		if (strncmp(opt,PROGRAM,strlen(PROGRAM))==0) {

Just FYI, strncmp shouldn't be used unless you are only looking for a
specific prefix.  There's lots of bad parsing code in snort that is
cleaned up as that section is visited for other reasons.

strdup return values should always be checked. Same caveat above applies

If functions aren't used outside your file, they should be static. 
Chris Green <cmg at ...402...>
Laugh and the world laughs with you, snore and you sleep alone.

More information about the Snort-devel mailing list