[Snort-devel] Looking at rule metadata from an output plugin

Alan M. Carroll amc at ...3043...
Wed May 27 22:45:00 EDT 2009


I am working on an output plugin for Snort 2.8.4 and it would be handy to have access to metadata. However, looking at the code it appears that rule metadata that is not used by Snort is discarded and not available.

One approach would be to use some other parser logic to read the rule file, extract the metadata, and then use signature identifiers to match up but that seems a bit redundant, especially for something that is compiled in to Snort, whose parser already fully parses the metadata.

My current plan is to augment ParseMetadata to have a list of name/function pairs. After checking the known metadata keys, if unmatched it would traverse the list comparing the key to the strings. Upon a match, the corresponding function would be called and passed the OptTreeNode, the key, and the value (all of which are in local variables by this point). Then I would add a "RegisterMetadataHandler" function to allow plugins to populate the list.

I am left with three questions:

1) Is this a reasonable approach?
2) Would anyone else be interested in it, i.e. should I plan on making it robust enough for others to use?
3) How should my plugin interact safely with the ds_list member of OptTreeNode? Presumably it needs to get a globally unique index, but how is that done?

Thanks!





More information about the Snort-devel mailing list