[Snort-users] Changing rules online
Nuno Niguel Neves
nneves at ...351...
Sun Aug 20 07:47:04 EDT 2000
> ~ :Two questions about snort:
> ~ :
> ~ :1 - Does snort number the rules? That is, can I access rule nr. 15? If not,
> ~ :can this be done?
> no, internally it's represented as a linked list (last time I checked that
> part of the code ;-)), enumiration could be an option though, if needed.
But is it some compilation or running option already existing, or it must be
done? If so, what is the best way to do it ?
> ~ :2 - If I want to be able to add or change rules online, how can this be
> ~ :done? (If the rules are numbered, this should be easy, I think :-)!).
> ~ :
> What do you mean by `online'?
Sorry, lack of explaining! :-)
When I say online, I mean that I want to add some routine that accepts
connections from outside and one of the operations may be change rule nr. 15. How
can this be done in Snort? If the rules are numbered, we can look for rule nr.
15, get a pointer to it, and then we change it (I guess this is correct...)
For instance I have a rule nr. 23 that specifies a source port of 1024, but I
want to change it so as to specify port 1025. I would search for rule nr. 23, get
a pointer to it (tmp_ptr) and then just do
PS - I know there might be some performance loss, but that is insignificant for
nneves at ...351... Dept. Informatica, Fac. Ciencias,
|\ | |\ | Tel: +351 21 7500528 Univ. Lisboa, Bloco C5, Campo Grande
| \|uno | \|eves Fax: +351 21 7500084 1700 Lisboa, Portugal
More information about the Snort-users