[Snort-users] Changing rules online

Nuno Miguel Neves nneves at ...351...
Mon Aug 21 06:02:13 EDT 2000


Fyodor wrote:
> 
> ~ :> no, internally it's represented as a linked list (last time I checked that
> ~ :> part of the code ;-)), enumiration could be an option though, if needed.
> ~ :
> ~ :But is it some compilation or running option already existing, or it must be
> ~ :done? If so, what is the best way to do it ?
> 
> Would probably require an extra-field added to RuleTreeNode structure and
> increment it as counter every time the rule is processed.

What's the best place to put it?
In the ProcessHeadNode() function? Right above the SetupRTFuncList() call? 
> ~ :
> ~ :Sorry, lack of explaining! :-)
> ~ :When I say online, I mean that I want to add some routine that accepts
> ~ :connections from outside and one of the operations may be change rule nr. 15. How
> ~ :can this be done in Snort? If the rules are numbered, we can look for rule nr.
> ~ :15, get a pointer to it, and then we change it (I guess this is correct...)
> 
> yeah, might work. Althrough sort of painful way to do it (easier to change
> rule in text file and restart it) however if you want this, you will need
> to implement either a parallel thread (and use mutex to block ruleptr) or
> maybe put something in pcap with select(..) stuff. When get a request to
> change a rule, run through the whole rule, free all alocated memory it
> refers to, then create the whole structrure again according to the rule
> yoy get :)

Is there some reason why I can not only change the fields I want? I must
recreate the rule?

Thanks
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> http://lists.sourceforge.net/mailman/listinfo/snort-users

--                  
                  nneves at ...351...    Dept. Informatica, Fac. Ciencias,
|\ |    |\ |      Tel: +351 21 7500528  Univ. Lisboa, Bloco C5, Campo Grande
| \|uno | \|eves  Fax: +351 21 7500084  1700 Lisboa, Portugal





More information about the Snort-users mailing list