[Snort-devel] Snort as a library

Michael Richardson Michael.Richardson at ...2449...
Tue Jul 20 09:14:02 EDT 2004


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

>>>>> "Daniel" == Daniel Roelker <droelker at ...402...> writes:
    Daniel> -Werror patch We'll look into it when we have time, but
    Daniel> right now this does not affect functionality and is not a
    Daniel> security issue so it's low priority.

  I STRONGLY disagree. -Werror is critical. It finds portability bugs,
and it catches lots of errors that programmers make. There were a number
of places where functions were declared that did not match their
prototypes. This is because there are prototypes missing for quite a lot
of code, and other places where the .h file simply isn't included.

    Daniel> Global variable to structure You also submitted a patch that
    Daniel> put global variables into a structure so you could run
    Daniel> multiple "threads" that listen to different network
    Daniel> interfaces.  This patch seemed to work for the embedded

  No.
  My goal is *NOT* threads. It happens that it might be useful for that
as well. My goal is to be able to listen to multiple interfaces at the same
time from the same executable. 
  Yes, there embedded system involved --- but it actually has no threads
at all. Not even processes. 

  This patch would eventually make it possible to listen to FD traffic
using a pair of interfaces (something which has been asked for
several times on the lists), but also for a single sensor to listen in
multiple places and coorelate traffic.
  No, it doesn't do all of that in the patch that is there. Attempting
to do everything in one step is foolish, and as an open source
maintainer, I always ask for structural changes to be seperated from
functional changes so that the testing can be made simpler.

    Daniel> Patch submission for snort is also more rigorous these days.
    Daniel> Not only does a patch need to add some sort of enhancement,
    Daniel> but it needs to be coded well and go through a code audit
    Daniel> and our testing.  It's not a simple matter of running that

  I still await for some kind of explanation of what this testing is.
I haven't looked at the latest release, I will do that soon. I hope it
is there.

  I had to come up with my own test suite. I don't know how you guys
are testing snort. That was part of the -Werror patch, because I had to
fix the searching code to be actually valid C. 

  I've actually lead much larger open source projects than snort, and I
am well familliar with what is necessary. In fact, you LINK against
libpcap, which I happen to maintain. 

    Daniel> As for getting the attention of the sourcefire team and
    Daniel> asking us questions, you could always send us an email.
    Daniel> Marc Norton, myself, and Jeremy Hewlett handle the code side
    Daniel> of snort.  We'd be happy to talk to you or anyone else.

  Well, I'd like to get feedback.
  You may not feel that something has value, but if you don't
communicate I'll never know that. You may not have even understood the
point of the patch. It might lead to other larger things.

  If you want snort to be a community supported project, then it is
important to be responsive. If you want it just to be the public face of
sourcefire, then I predict that someone will fork the code base next
time they get frustrated.

- --
]       ON HUMILITY: to err is human. To moo, bovine.                         [
]   Michael Richardson,            Seaway Networks Corporation                [
]   michael at ...2449...     http://www.seawaynetworks.com/             [
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: Finger me for keys

iD8DBQFA/URD22r3dfT9QZERAg46AKDBDk0Qr0f3VJ1rwxK7JsMba/dG0QCfRkvd
/H7JhJ6XURnGfYE6xPnsVvo=
=HxRv
-----END PGP SIGNATURE-----




More information about the Snort-devel mailing list