[Snort-devel] Looking at rule metadata from an output plugin

Steven Sturges steve.sturges at ...402...
Sun May 31 13:01:15 EDT 2009


Hi Alan--

1.  CleanExit is called as part of Snort shutdown (TERM or end of pcap).
The Restart code is called prior to reloading a configuration after a
HUP.  Most of the time, those will be the same, but if there is memory
that is required to stay around after the hup, they could be different.

2.  It is probably better to place the memory in the SigInfo structure
rather than the ds_list for the rule.  That is where other rule data is
stored -- sid, gid, rev, and the metadata that Snort uses.  And then it
would need to get freed when that structure is freed...

Hope that helps.

Cheers.
-steve

Alan M. Carroll wrote:
> I have my output plugin working now along with the rule metadata hook.  If you've ever wanted to be able to do output overrides on specific rules, it works very nicely for that purpose.
> 
> I have just a couple of questions left.
> 
> 1) What is the difference between Restart and CleanExit? I can't find any documentation that elucidates the distinction and a sampling of existing output plugins yields the uniform result that both of these are implemented with identical code. Is this just an artifact from earlier versions of Snort?
> 
> 2) How or should memory allocated and placed in OpTreeNode.ds_list be cleaned up? Currently when the plugin sees its metadata, it allocates a struct and stuffs it in the ds_list. But that memory is never released. Is that a problem?
> 
> Thanks!
> 
> 
> ------------------------------------------------------------------------------
> Register Now for Creativity and Technology (CaT), June 3rd, NYC. CaT 
> is a gathering of tech-side developers & brand creativity professionals. Meet
> the minds behind Google Creative Lab, Visual Complexity, Processing, & 
> iPhoneDevCamp as they present alongside digital heavyweights like Barbarian 
> Group, R/GA, & Big Spaceship. http://p.sf.net/sfu/creativitycat-com 
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
> 




More information about the Snort-devel mailing list