[Snort-users] rule options and output plugins
joey at ...155...
Tue Jul 25 18:13:00 EDT 2000
I'm looking for the best way to allow output plugins access to rule
options. I'm planning on building a plugin that will need to take a
value from a rule option, and construct an output format based on that
value. For instance, if my key word is "msg_type", then constructing
rules like the two below will yield different output results.
alert tcp any any -> any 80 (msg:"IDS232 - WEB-CGI-PHP CGI access
attempt";flags:PA; content:"php.cgi?/"; offset: 5; depth: 32; nocase;
alert tcp any any -> any 143 (msg:"IDS147 - CVE-1999-004 -
IMAP-x86-linux-buffer-overflow";flags:PA; content:"|e8c0 ffff
ff|/bin/sh"; msg_type:"overflow"; )
The output plugin would then build a descriptive message based on a
template specified by the msg_type.
Is it possible to do this with the current plugin structure, or would
this have to involve changing the internals of Snort?
More information about the Snort-users