[Snort-devel] Plugin API Feature Request

Thomas Seiler thseiler at ...2499...
Fri Jan 20 05:14:06 EST 2006


Hi snort-devel list,

The current order of snort startup is: (AFAIK and AFA it concerns a plugin)
- Plugin Setup Function, registers Plugin
- When the parser sees a plugin line in the conf, the Plugins Init is run
- The Rules are parsed
- (1)
- The main loop starts:
   - The plugins is processing callback is called for each packet / alert.
   - (2)
- When snort wants to exist, the Plugins CleanExit handler is called.
- snort exists

(1): I miss a way to run a handler / function in a plugin at the end
of parsing the rules. This would be handy i.e. when you write a db
output plugin. It would be possible to sync the signatures in the
database in one go at startup instead of syncing while logging alerts.

(2): I miss also a way to run a function in a periodic way. For now,
the only way is to do periodic maintenance work inside the processing
callback and check at callback time if it is time for maintenance
work. The problem here is, that one needs an alert in order to be able
to do maintenance work inside an output plugin. i.e. if I want to
update the statistics (#packets / dropped...) for this sensor in the
database.

I think (1) is easily fixable by adding a new function pointer list
aswell as an API call to register a callback function to be called
after snort has finished parsing the config.

(2) is a little bit harder, the callback function list and API is
analogous to (1). libpcap has a timeout feature, if onw switches
pcap_loop to pcap_dispatch.

What do you think about the proposed features ? Is anyone interested in these ?
Any chance that such changes would be applied to snort, If I would
provide a patch ?

Thanks for reading this far,
Thomas



--
Excercise 17:
If the human brain was simple enough for us to understand we'd be so
simple we couldn't understand.
Prove this by induction.




More information about the Snort-devel mailing list