[Snort-devel] Snort as a library

Daniel Roelker droelker at ...402...
Tue Jul 20 08:28:08 EDT 2004

Hi Michael,

On Tue, 2004-07-20 at 09:55, Michael Richardson wrote:
>     Harry> (I have pretty good C chops and a background in writing
>     Harry> packet analysis code, so I'm prepared to rewrite large chunks
>     Harry> of Snort if need be, but I don't know the codebase and wanted
>     Harry> to ask the experts before jumping right in).
>   The problem you will have is maintenance. If you adjust the code
> significantly, then you will effectively have forked it. So far, I have
> not found a way to get enough of the sourcefire team's attention to find
> out what criteria they will use to determine if they accept a patch.

I've only seen a couple of patches that you've sent to the list. 
Correct me if I'm wrong, but these were:

-Werror patch
We'll look into it when we have time, but right now this does not affect
functionality and is not a security issue so it's low priority.

Global variable to structure
You also submitted a patch that put global variables into a structure so
you could run multiple "threads" that listen to different network
interfaces.  This patch seemed to work for the embedded development you
were doing, but didn't add any real value to the snort project. 
Threading snort itself is an issue that is debated on these mailing
lists and something that we are not yet ready to commit to.

In general, the two patches you sent helped you with your embedded
development, but they did not add any value to the snort user community
in terms of bugfixes, features, or enhancements.  That's why they will
not be added in.

Patch submission for snort is also more rigorous these days.  Not only
does a patch need to add some sort of enhancement, but it needs to be
coded well and go through a code audit and our testing.  It's not a
simple matter of running that patch through a test suite to determine
it's ok.  It requires much more time than that, especially if it's a
patch of any significance.  And since all the snort developers are busy
adding new features, we add these patches to our queue for when we do
have time.  We only break that rule if the patches add substantial
functionality that we want to add right away.

As for getting the attention of the sourcefire team and asking us
questions, you could always send us an email.  Marc Norton, myself, and
Jeremy Hewlett handle the code side of snort.  We'd be happy to talk to
you or anyone else.  Feel free to let us know what you like, dislike,
and things you want to see added to snort in the future.

Daniel Roelker
Software Developer
Sourcefire, Inc.

More information about the Snort-devel mailing list