[Snort-devel] including markup information for detected pattern
dna75 at ...224...
Wed Dec 1 02:58:02 EST 2004
we are working on a student project in basel (switzerland), and we need
some help concerning snort engine.
the main goal is to markup the detected pattern in a packet. therefore
we need to change the snort engine. we analyze tcpdump files, so we are
not concerned about performance.
each detected pattern in a packet should be defined by a start point
(offset) and a length or an endpoint. but the snort engine only shows us
that there was a detection and not where it occurred.
what we need to know is where it would be possible to get these
information from, which function or which structures need to be changed.
we figured out that the pattern matching is basically done by the
mSearch() functions in mstring.c.
is the structure PatternMatchData in sp_pattern_match.h the right place
to put in the markups or to find the information?
we would appreciate any kind of help from your side.
thank you for taking your time :)
greetings from basel
cezar, bency, oli
More information about the Snort-devel