[Snort-devel] Plugin API Feature Request

Thomas Seiler thseiler at ...2499...
Sat Jan 21 04:17:04 EST 2006


Hi Jeff,

On 1/21/06, Jeff Nathan <jeff at ...835...> wrote:
> With respect to issue 2, this can be done with libevent, as I did in
> the XML output plugin (op_alert_xml) in barnyard (you'll have to
> checkout using the JNATHAN branch if you want to see the code - it's
> not part of an actual barnyard release yet)

Thanks ! Yes, did'nt know of libevent yet. It's actually a very nice
way to do regular maintenance work and exactly the thing I need for my
plugin. Thank you very much...

Nevertheless I see a small difference in semantics. The callback
described in my earlier mail would be synchronous, (i.e. it happens
exactly in between calls to the snort detector routines), and a
libevent callback would be asynchronous to the packet processing.

This could become an issue for future plugins (in theory it is
possible to change the rule-trees while snort is running from within a
plugin, i.e. auto-updating the rules from a database instead an
external agent rewriting the config file and reloading snort, but this
would have to happen synchronously, in between calls to the snort
detector.)

Regarding issue 1, I think I have found a solution for now.
Instead of syncing the whole rule tree when the first alert occurs, I
simply sync the rule that corresponds to the alert plus N other rules.
(N configurable). Eventually all rules will be synched and I can
switch syncing off.

Best Regards,
Thomas




More information about the Snort-devel mailing list