[Snort-users] rule options and output plugins

Joe McAlerney joey at ...155...
Tue Jul 25 18:13:00 EDT 2000


I'm looking for the best way to allow output plugins access to rule
options.  I'm planning on building a plugin that will need to take a
value from a rule option, and construct an output format based on that
value.  For instance, if my key word is "msg_type", then constructing
rules like the two below will yield different output results.

alert tcp any any -> any 80 (msg:"IDS232 - WEB-CGI-PHP CGI access
attempt";flags:PA; content:"php.cgi?/"; offset: 5; depth: 32; nocase;
msg_type:"web"; )

alert tcp any any -> any 143 (msg:"IDS147 - CVE-1999-004 -
IMAP-x86-linux-buffer-overflow";flags:PA; content:"|e8c0 ffff
ff|/bin/sh"; msg_type:"overflow"; )

The output plugin would then build a descriptive message based on a
template specified by the msg_type.

Is it possible to do this with the current plugin structure, or would
this have to involve changing the internals of Snort?

Thanks,

-Joe M.




More information about the Snort-users mailing list