[Snort-devel] Implementing timeouts in Snort

Steven Sturges steve.sturges at ...402...
Tue Oct 21 08:39:14 EDT 2008


Hi Devdutt--

Depending on what protocols your preprocessor is using, you
can leverage the stream API and store data that is associated
with the TCP or UDP session structure.

The data is then freed (providing you specify a free
function) when the session is terminated -- via timeout or
normal TCP FIN/FIN-ACK/etc.

Cheers.
-steve

Devdutt Patnaik wrote:
> Hi All,
>  
> I am currently working on a preprocessor plugin that needs to keep some
> state but will discard it upon a timeout.
>  
> I have some experience with snort and have previously written a state
> machine based preprocessor plugin.
> However I didn't have to use timeouts until now. All the logic was just
> based on incoming packet events ie. asynchronous, wherein the packet
> arrival events would allow/trigger my logic to execute.
> In the timer case I need to get some code to run without triggers from
> incoming packets.
>  
> I looked at the snort.conf file and preprocessors like frag3 do use
> timers/timeouts. However it isnt clear how they are implemented in the code.
>  
> Can some one give me a few tips/hints so that I could understand how I
> could implement timeouts/timers in Snort.
>  
> Thanks,
> Devdutt.
> 
> 
> ------------------------------------------------------------------------
> 
> -------------------------------------------------------------------------
> This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
> Build the coolest Linux based applications with Moblin SDK & win great prizes
> Grand prize is a trip for two to an Open Source event anywhere in the world
> http://moblin-contest.org/redirect.php?banner_id=100&url=/
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel




More information about the Snort-devel mailing list