[Snort-devel] how to call my own function on snort - Help

Ryan Jordan ryan.jordan at ...402...
Mon Sep 26 18:03:04 EDT 2011


Hello ndritsos,

The best way to call your function from a rule is to write a Shared Object
(.so) rule. There are plenty of examples in
src/dynamic-plugins/sf_engine/examples to help you get started.

Some quick steps:

- Create a new .c file in the examples directory
- Declare a Rule struct (defined in
src/dynamic-plugins/sf_engine/sf_snort_plugin_api.h)
- Modify your function to fit the format:
      int myfunction(void *p)
  Where (void *p) can be cast to SFSnortPacket, defined in
src/dynamic-plugins/sf_engine/sf_snort_packet.h
- Set the "evalFunc" member of "Rule" to point to your function
- Modify src/dynamic-plugins/sf_engine/examples/Makefile.am to include your
.c file
- Modify src/dynamic-plugins/sf_engine/examples/rules.c to include a
reference to your Rule object

There's not a whole lot of documentation on writing shared object rules, but
the "Snort Devel" mailing list is a good place to ask questions. Check out
http://www.snort.org/community/mailing-lists/ .

-Ryan

On Mon, Sep 26, 2011 at 5:27 PM, ndritsos <ndritsos at ...2499...> wrote:

> Hello Guys,
>
> i need your help , i have a function in c :
>
> void   myfunction( seqNUmber, ackNumber , srcIP, dstIP,srcPort,destPort ){
>
>    // here is the code , that is doing something
>
> }
>
>
> i want to know how can i call this function from a snort rule ,
> could you please give me hints / steps that i have to do ?
>
>
> thank you in advance
>
> ps: iam so sorry for my terribly English
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20110926/df9f5810/attachment.html>


More information about the Snort-devel mailing list