[Snort-users] Snort Dynamically loadable modules

Fyodor fygrave at ...121...
Sun Aug 20 15:04:05 EDT 2000


Hello people,
 here I came up with a snort specification for future implementation of
dynamically loadable modules. it would be cool if we smooth it out and
discuss certain parts and bits of implementation (f.e. snort API) before
we actually start coding that. Any feedback is welcome. Attached is the
test code which I played with on freebsd to make sure my idea works. I
would appreciate testings on different platforms to see how many platforms
could support this interface. if we would loose too many platforms we
would have to leave both options (static and dynamic modules) available to
come up to a better solution. So far it works on *BSD and linux. I am
trying to get it working on sparc, and I think it will be possible to do
it there too, others... ?

Thanks to Sebastian Krahmer for <krahmer at ...355...> for the help
with working this idea out that quickly :)


SPECIFICATION: Dynamically loadable snort plugins.
--------------------------------------------------

Internal Implementation:

Loading of snort dl plugins is done using dlopen(3) libc function. Symbol
resolution is done using dlsym(3) function. A plugin module should be
compiled as shared object and include
"snortsource/path/snort/plugins/plugin.h" header file. This headerfile
should contain int sn_plugin_magic =
"current_snort_plugin_handing_version_implementation"; would have Snort
API (see below) functions defined as pointers and
sn_inithooks(APIfuncs[]); function which would initialize these pointers
runtime. The snort main module is supposed to call it. Before snort will
have to fill APIfuncs[] array with pointers to functions and then resolve
and execute sn_inithooks().

An alternative solution is to compile snort with -export-dynamic keyword.

from dlsym manual page:
   ELF executables need to be linked using the -export-dynamic option to
     ld(1) for symbols defined in the executable to become visible to dlsym().

The proof of concept is attached. I wonder on how many platforms it would
work :).

Uppon loading of shared object and executing sn_inithooks() function,
sn_plugin_init(char *, OptTreeNode *, int protocol) function name is being
resolved and called from main module. This is the function which would perform
plugin initialisation on the same manner as it's been done in the current
implementation.

Plugin requirements:

1. Each plugin must be compiled as a shared object.
2. Each plugin must include "plugin.h" headerfile from the source tarball, which the plugin is supposed to be loaded with.
3. Each plugin must have sn_plugin_init(char *, OptTreeNode *, int protocol) and sn_plugin_stop(void); function defined. These functions would be used to initialize and shut down the plugin module.
4. Both these functions should return `0' in case of success and `-1' in case if error occured during the process of
initialisation and de-initialisation.
5. Uppon initalisation every plugin must call sn_RegisterPlugin() function (See snort API) which  is defined as following:

int sn_RegisterPlugin(int plugin_type, char *plugname, void (*Handler)(Packet *p, ...));

Arguments:

plugin_type specifies type of plugin to be registered.

Currently following types are defined:

SN_PLUGIN_INPUT
SN_PLUGIN_KEYWORD
SN_PLUGIN_PROCESS
SN_PLUGIN_OUTPUT_ALERT
SN_PLUGIN_OUTPUT_LOG

plugname specifies plugin name which would be used in internal representation or output (errors, whatever). For SP_PLUGIN_KEYWORD
it is also a keyword which this plugin implements.

Handler() is a function which is supposed to be invoked by snort main module when it is apropriate. Number of arguments for handler
function may vary and is different for different plugin types. if this argument is not required for certain plugin types, it could be null. Below is a short specification of argument types for various plugin types:
INPUT - not implemented.
KEYWORD - not needed, could be null
PROCESS - Handler(Packet *p);
OUTPUT_* - Handler(Packet *p, char *msg);

Snort API
---------

Following functions are available for snort dynamically loadable modules:
Libc:
----
libc:
(available automagically)
other-libraries:
either would have to load'em with dlopen, and run dlsym on them or should
be linked to main module beforehands.

General:
-------
int sn_RegisterPlugin(int plugin_type, char *plugname, void (*Handler)(Packet *p, ...));
void AddOptFuncToList(int (*func)(Packet *,struct _OptTreeNode*,struct _OptFpList*), OptTreeNode *otn)
void AddFuncToPreprocList(void (*func)(Packet *))
void AddFuncToOutputList(void (*func)(Packet *, char *, void *), char node_type, void *arg)
[suggestions?]

Error Handling:
--------------
Error(char *errormsg)
ErrorFmt(char *fmt, ...)
FatalError(char *errormsg)
FatalErrorFmt(char *fmt, ...)
[suggestions?]


Others:
------
[suggestions?]


-------------- next part --------------
A non-text attachment was scrubbed...
Name: dltest.tgz
Type: application/x-tar-gz
Size: 558 bytes
Desc: 
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20000821/2387efca/attachment.bin>


More information about the Snort-users mailing list