[Snort-devel] including markup information for detected pattern

o.wurster dna75 at ...224...
Wed Dec 1 02:58:02 EST 2004


hi everybody

we are working on a student project in basel (switzerland), and we need 
some help concerning snort engine.

the main goal is to markup the detected pattern in a packet. therefore 
we need to change the snort engine. we analyze tcpdump files, so we are 
not concerned about performance.

each detected pattern in a packet should be defined by a start point 
(offset) and a length or an endpoint. but the snort engine only shows us 
that there was a detection and not where it occurred.
what we need to know is where it would be possible to get these 
information from, which function or which structures need to be changed.

we figured out that the pattern matching is basically done by the 
mSearch() functions in mstring.c.
is the structure PatternMatchData in sp_pattern_match.h the right place 
to put in the markups or to find the information?

we would appreciate any kind of help from your side.

thank you for taking your time :)
greetings from basel

cezar, bency, oli




More information about the Snort-devel mailing list