[Snort-sigs] (no subject)

Matt Kettler mkettler at ...189...
Tue Feb 11 12:49:11 EST 2003


Actualy, I'll self-correct.. You probably don't need to be a true 
preprocessor (ie: spp_*) you'd probably really want to be a "detection 
plugin" (ie: sp_*).

The primary difference is, as I understand it, that preprocessors modify 
the data stream before passing it to the rules, whereas detection plugins 
just look at the data and generate alerts as they see fit.

Either way, you're still talking about adding code to snort, and not merely 
writing some kind of simple rule. Doing so would require a very good 
knowledge of C code, and some time spent reading the source to snort to 
learn how the interfaces work.

In any event, in the snort tarball is a src subdirectory. under 
src/detection-plugins you'll find the plugins, and under src/preprocessors 
you'll find the true preprocessors.





More information about the Snort-sigs mailing list