[Snort-devel] how to call my own function on snort - Help

Russ Combs rcombs at ...402...
Tue Sep 27 14:38:12 EDT 2011


If you want to create a dynamic Snort rule outside the source tree, you can
start with the attached.

On Mon, Sep 26, 2011 at 6:03 PM, Ryan Jordan <ryan.jordan at ...402...>wrote:

> Hello ndritsos,
>
> The best way to call your function from a rule is to write a Shared Object
> (.so) rule. There are plenty of examples in
> src/dynamic-plugins/sf_engine/examples to help you get started.
>
> Some quick steps:
>
> - Create a new .c file in the examples directory
> - Declare a Rule struct (defined in
> src/dynamic-plugins/sf_engine/sf_snort_plugin_api.h)
> - Modify your function to fit the format:
>       int myfunction(void *p)
>   Where (void *p) can be cast to SFSnortPacket, defined in
> src/dynamic-plugins/sf_engine/sf_snort_packet.h
> - Set the "evalFunc" member of "Rule" to point to your function
> - Modify src/dynamic-plugins/sf_engine/examples/Makefile.am to include your
> .c file
> - Modify src/dynamic-plugins/sf_engine/examples/rules.c to include a
> reference to your Rule object
>
> There's not a whole lot of documentation on writing shared object rules,
> but the "Snort Devel" mailing list is a good place to ask questions. Check
> out http://www.snort.org/community/mailing-lists/ .
>
> -Ryan
>
>
> On Mon, Sep 26, 2011 at 5:27 PM, ndritsos <ndritsos at ...2499...> wrote:
>
>> Hello Guys,
>>
>> i need your help , i have a function in c :
>>
>> void   myfunction( seqNUmber, ackNumber , srcIP, dstIP,srcPort,destPort ){
>>
>>    // here is the code , that is doing something
>>
>> }
>>
>>
>> i want to know how can i call this function from a snort rule ,
>> could you please give me hints / steps that i have to do ?
>>
>>
>> thank you in advance
>>
>> ps: iam so sorry for my terribly English
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20110927/92da1694/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: drx-1.0.tar.gz
Type: application/x-gzip
Size: 282112 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20110927/92da1694/attachment.bin>


More information about the Snort-devel mailing list