[Snort-devel] Snort as a library
Michael.Richardson at ...2449...
Tue Jul 20 06:57:03 EDT 2004
-----BEGIN PGP SIGNED MESSAGE-----
>>>>> "Harry" == Harry Richardson <cormallen at ...398...> writes:
Harry> I'm looking into building snort as a library, so that another
Harry> process can pass packets to it for evaluation and get back
Harry> any alerts that Snort generates.
See the start of my patches to contextualize snort.
http://www.sandelman.ca/tmp, look for snort-*.
I have to redo the patches for a later release, they were last touched
Harry> Getting data in and out of Snort is easy, but what I'd like
Harry> to do is get an instant response to a packet (ie, if the
Harry> packet is evil, then an alert is fired instantly). Is this
Harry> possible, or does Snort use buffers and/or threads so that
Harry> the response to a packet may be output after many other
It does not use threads.
However, there are situations where the answer is not available until
after more traffic has been received, due to the TCP reassembly code.
Harry> (I have pretty good C chops and a background in writing
Harry> packet analysis code, so I'm prepared to rewrite large chunks
Harry> of Snort if need be, but I don't know the codebase and wanted
Harry> to ask the experts before jumping right in).
The problem you will have is maintenance. If you adjust the code
significantly, then you will effectively have forked it. So far, I have
not found a way to get enough of the sourcefire team's attention to find
out what criteria they will use to determine if they accept a patch.
There is apparently a new regression testing system, but I haven't
seen it yet. That should help prove the patches are okay.
] ON HUMILITY: to err is human. To moo, bovine. [
] Michael Richardson, Seaway Networks Corporation [
] michael at ...2449... http://www.seawaynetworks.com/ [
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: Finger me for keys
-----END PGP SIGNATURE-----
More information about the Snort-devel