[Snort-devel] Snort as a library

Michael Richardson Michael.Richardson at ...2449...
Tue Jul 20 06:57:03 EDT 2004


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

>>>>> "Harry" == Harry Richardson <cormallen at ...398...> writes:
    Harry> I'm looking into building snort as a library, so that another
    Harry> process can pass packets to it for evaluation and get back
    Harry> any alerts that Snort generates.

  See the start of my patches to contextualize snort.
  http://www.sandelman.ca/tmp, look for snort-*.
  I have to redo the patches for a later release, they were last touched
in April.

    Harry> Getting data in and out of Snort is easy, but what I'd like
    Harry> to do is get an instant response to a packet (ie, if the
    Harry> packet is evil, then an alert is fired instantly).  Is this
    Harry> possible, or does Snort use buffers and/or threads so that
    Harry> the response to a packet may be output after many other

  It does not use threads.
  However, there are situations where the answer is not available until
after more traffic has been received, due to the TCP reassembly code.

    Harry> (I have pretty good C chops and a background in writing
    Harry> packet analysis code, so I'm prepared to rewrite large chunks
    Harry> of Snort if need be, but I don't know the codebase and wanted
    Harry> to ask the experts before jumping right in).

  The problem you will have is maintenance. If you adjust the code
significantly, then you will effectively have forked it. So far, I have
not found a way to get enough of the sourcefire team's attention to find
out what criteria they will use to determine if they accept a patch.

  There is apparently a new regression testing system, but I haven't
seen it yet. That should help prove the patches are okay.

- --
]       ON HUMILITY: to err is human. To moo, bovine.                         [
]   Michael Richardson,            Seaway Networks Corporation                [
]   michael at ...2449...     http://www.seawaynetworks.com/             [
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: Finger me for keys

iD8DBQFA/SQW22r3dfT9QZERAlcWAJwOIbbbtkbOiTWJbBRkgwmcM56r6QCg4sJn
jmjDRewb0pDhqix5Aj5hBDw=
=zFUa
-----END PGP SIGNATURE-----




More information about the Snort-devel mailing list