[Snort-devel] Snort as a library

Harry Richardson cormallen at ...398...
Tue Jul 20 06:00:10 EDT 2004

Hi all.

I'm looking into building snort as a library, so that another process
can pass packets to it for evaluation and get back any alerts that
Snort generates.

Getting data in and out of Snort is easy, but what I'd like to do is
get an instant response to a packet (ie, if the packet is evil, then an
alert is fired instantly).  Is this possible, or does Snort use buffers
and/or threads so that the response to a packet may be output after
many other packets have been fed into it?  And if that is the case,
would it be feasible for me to tweak the snort code so that I can get
the desired behaviour?

(I have pretty good C chops and a background in writing packet analysis
code, so I'm prepared to rewrite large chunks of Snort if need be, but
I don't know the codebase and wanted to ask the experts before jumping
right in).



