[Snort-sigs] (no subject)
mkettler at ...189...
Tue Feb 11 12:49:11 EST 2003
Actualy, I'll self-correct.. You probably don't need to be a true
preprocessor (ie: spp_*) you'd probably really want to be a "detection
plugin" (ie: sp_*).
The primary difference is, as I understand it, that preprocessors modify
the data stream before passing it to the rules, whereas detection plugins
just look at the data and generate alerts as they see fit.
Either way, you're still talking about adding code to snort, and not merely
writing some kind of simple rule. Doing so would require a very good
knowledge of C code, and some time spent reading the source to snort to
learn how the interfaces work.
In any event, in the snort tarball is a src subdirectory. under
src/detection-plugins you'll find the plugins, and under src/preprocessors
you'll find the true preprocessors.
More information about the Snort-sigs