[Fwd: Re: [Snort-devel] Input-Plugin]

Roland Turner raz.fabeg.bet at ...2131...
Fri Feb 3 04:42:01 EST 2006

On Fri, 2006-02-03 at 13:02 +0100, Nico wrote:

> >     snort -r filename
> > 
> I think that woud be to slow... maybe i explained my problem improperly.
> it's not only one packet i have to analyze. i will get continuously
> packet information.

Not so much "improperly" as incompletely. You've still not said much
about what your source of packets is. You're free to keep this to
yourself of course, but absent a straightforward way to do this, knowing
more about the context in which you're trying to work (e.g. knowing
where your data is coming from) is likely to inform better suggestions.

> So it is more running snort in daemon mode analyzing data from my input
> plugin instead of libpcap.

The current snort code is pretty strongly wedded to libpcap and libipq.
The lines of attack that I'd consider are:

1) Write a custom libpcap. libpcap is essentially snort's input plugin
interface. This is particularly useful if you're ever likely to want to
use your source of data in another context as the work will trivially
carry across to the many other tools which use libpcap in this way.
Needless to say, actually producing such a beast is not at all trivial.

2) Modify snort to accept input from somewhere other than
libpcap/libipq. This appears to be what you're assuming that you want to
do. If you want a quick list of what needs changing, grep a recent
source for InlineMode. If the list's length is intimidating, have a look
at one of the earliest snort_inline patches; the number of integration
points is reduced to a minimal set. This may be less work than a libpcap
implementation, but it's not trivial and may require re-integration at
each snort revision.

3) Use "snort -r" but at the end of a pipeline. Have your source process
still generate its pcap output, but instead of writing to a file and
launching snort once per packet, write to a pipe. Note that libpcap is a
little picky about being used this way, in particular it tends to barf
if packets are split across multiple write()s to the pipe input, so
ensure that your daemon is writing the pcap header and the packet in a
single call to write(2).

Best of luck,

- Raz

More information about the Snort-devel mailing list