[Snort-devel] Question about DAQ in snort 3.0

Jun Xiao xiaojuntime at ...2499...
Mon Jul 7 04:41:49 EDT 2008


I think the mechanism is that the engine will invoke the callback
function finish_packet() to tell data source module to take the
corresponding action. Is that correct?
There is also another question, why need we do a packet copy in dap_pcap.c
pcap_process_loop() {
...
memcpy(p, data, pkth->caplen);
...
}
Can we reuse data pointer to reduce the packet copy?

Thanks,
Jun

2008/7/4 Xiao Jun <xiaojuntime at ...2499...>:
> Hi All,
>
> I am wondering the snort 3.0 beta + iptables (IPS mode) workable or not,
> that means how did the engine return back the detection result (for
> example, drop or reject) back to data source?
>
> BTW, at line 147 of daq_ipq.c, "dd.resolution" should be used to
> return the detection result, but I even can not find out the
> definition for resolution.
>
> Thanks,
> Jun
>




More information about the Snort-devel mailing list