[Snort-sigs] RE-Announcing sp_perl

Brian bmc at ...95...
Tue May 13 06:45:14 EDT 2003


On Sat, May 10, 2003 at 03:48:47AM -0700, Jeff Nathan wrote:
> As described in our CanSecWest/core03 presentation, Advanced IDS, Brian 
> Caswell and I are proud to present a new detection plugin for Snort: 
> sp_perl.  This detection plugin offers users full regular expression 
> matching within a Snort rule as well as runtime execution of perl code.

And now since we've had more eyes on the problem then just ours, the
dummy factor kicked in and we've cleaned it up quite a bit.

There are a few major changes in this new version:

* ports are passed as an int.  if the packet isn't TCP or UDP, they
  are set to 0 (snort does this for us).  So be smart if you are
  using ports.

* IPs are passed as an unsigned int.  If you want to use the
  stringified IP, we provide a perl version of inet_ntoa.  

* all of the alloc calls have been replaced with SnortAlloc, to make
  Chris's auditing easier.

* the payload is no longer converted to a string and passed onto the
  perl stack.  perl supports passing a pointer & length, but it wasn't
  clearly documented.  

Since we are no longer stringifying the data before passing it onto
the perl stack, sp_perl has gained a HUGE increase in speed.

The updated readme, patches, and presentation are all available on
snort.org, here:

   http://www.snort.org/dl/contrib/patches/snort-perl/

-brian




More information about the Snort-sigs mailing list