[Snort-users] Changing rules online

Nuno Niguel Neves nneves at ...351...
Sun Aug 20 07:47:04 EDT 2000


Fyodor wrote:

> ~ :Two questions about snort:
> ~ :
> ~ :1 - Does snort number the rules? That is, can I access rule nr. 15? If not,
> ~ :can this be done?
>
> no, internally it's represented as a linked list (last time I checked that
> part of the code ;-)), enumiration could be an option though, if needed.

But is it some compilation or running option already existing, or it must be
done? If so, what is the best way to do it ?

>
>
> ~ :2 - If I want to be able to add or change rules online, how can this be
> ~ :done? (If the rules are numbered, this should be easy, I think :-)!).
> ~ :
>
>  What do you mean by `online'?

Sorry, lack of explaining! :-)
When I say online, I mean that I want to add some routine that accepts
connections from outside and one of the operations may be change rule nr. 15. How
can this be done in Snort? If the rules are numbered, we can look for rule nr.
15, get a pointer to it, and then we change it (I guess this is correct...)

For instance I have a rule nr. 23 that specifies a source port of 1024, but I
want to change it so as to specify port 1025. I would search for rule nr. 23, get
a pointer to it (tmp_ptr) and then just do

tmp_ptr->hdp=1025

PS - I know there might be some performance loss, but that is insignificant for
me.

Thanks



--
                  nneves at ...351...    Dept. Informatica, Fac. Ciencias,
|\ |    |\ |      Tel: +351 21 7500528  Univ. Lisboa, Bloco C5, Campo Grande
| \|uno | \|eves  Fax: +351 21 7500084  1700 Lisboa, Portugal








More information about the Snort-users mailing list