[Snort-devel] Plugin API Feature Request

Jeff Nathan jeff at ...835...
Sat Jan 21 02:01:21 EST 2006


With respect to issue 2, this can be done with libevent, as I did in  
the XML output plugin (op_alert_xml) in barnyard (you'll have to  
checkout using the JNATHAN branch if you want to see the code - it's  
not part of an actual barnyard release yet)

-Jeff

On Jan 20, 2006, at 8:13 AM, Thomas Seiler wrote:

> Hi snort-devel list,
>
> The current order of snort startup is: (AFAIK and AFA it concerns a  
> plugin)
> - Plugin Setup Function, registers Plugin
> - When the parser sees a plugin line in the conf, the Plugins Init  
> is run
> - The Rules are parsed
> - (1)
> - The main loop starts:
>    - The plugins is processing callback is called for each packet /  
> alert.
>    - (2)
> - When snort wants to exist, the Plugins CleanExit handler is called.
> - snort exists
>
> (1): I miss a way to run a handler / function in a plugin at the end
> of parsing the rules. This would be handy i.e. when you write a db
> output plugin. It would be possible to sync the signatures in the
> database in one go at startup instead of syncing while logging alerts.
>
> (2): I miss also a way to run a function in a periodic way. For now,
> the only way is to do periodic maintenance work inside the processing
> callback and check at callback time if it is time for maintenance
> work. The problem here is, that one needs an alert in order to be able
> to do maintenance work inside an output plugin. i.e. if I want to
> update the statistics (#packets / dropped...) for this sensor in the
> database.
>
> I think (1) is easily fixable by adding a new function pointer list
> aswell as an API call to register a callback function to be called
> after snort has finished parsing the config.
>
> (2) is a little bit harder, the callback function list and API is
> analogous to (1). libpcap has a timeout feature, if onw switches
> pcap_loop to pcap_dispatch.
>
> What do you think about the proposed features ? Is anyone  
> interested in these ?
> Any chance that such changes would be applied to snort, If I would
> provide a patch ?
>
> Thanks for reading this far,
> Thomas
>
>
>
> --
> Excercise 17:
> If the human brain was simple enough for us to understand we'd be so
> simple we couldn't understand.
> Prove this by induction.
>
>
> -------------------------------------------------------
> This SF.net email is sponsored by: Splunk Inc. Do you grep through  
> log files
> for problems?  Stop!  Download the new AJAX search engine that makes
> searching your log files as easy as surfing the  web.  DOWNLOAD  
> SPLUNK!
> http://sel.as-us.falkag.net/sel?cmd=lnk&kid3432&bid#0486&dat1642
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel


--
Now with 100% more mailing lists.
http://nemesis.sourceforge.net


-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 186 bytes
Desc: This is a digitally signed message part
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20060121/514dad80/attachment.sig>


More information about the Snort-devel mailing list