[Snort-users] Changing rules online

Fyodor fygrave at ...121...
Sun Aug 20 15:14:02 EDT 2000


~ :> no, internally it's represented as a linked list (last time I checked that
~ :> part of the code ;-)), enumiration could be an option though, if needed.
~ :
~ :But is it some compilation or running option already existing, or it must be
~ :done? If so, what is the best way to do it ?


Would probably require an extra-field added to RuleTreeNode structure and
increment it as counter every time the rule is processed. 

~ :
~ :Sorry, lack of explaining! :-)
~ :When I say online, I mean that I want to add some routine that accepts
~ :connections from outside and one of the operations may be change rule nr. 15. How
~ :can this be done in Snort? If the rules are numbered, we can look for rule nr.
~ :15, get a pointer to it, and then we change it (I guess this is correct...)

yeah, might work. Althrough sort of painful way to do it (easier to change
rule in text file and restart it) however if you want this, you will need
to implement either a parallel thread (and use mutex to block ruleptr) or
maybe put something in pcap with select(..) stuff. When get a request to
change a rule, run through the whole rule, free all alocated memory it
refers to, then create the whole structrure again according to the rule
yoy get :)







More information about the Snort-users mailing list