[Snort-users] modules (was: announcement & questions: user sp ace firewall)

Austad, Jay austad at ...432...
Wed Nov 29 20:02:41 EST 2000

I was looking at this and thinking...  How modular is snort?  How hard would
it be to make it so if someone wanted another feature, they could just load
the module in the .conf file by putting something like:
module /usr/lib/snort/modules/firewall_module.so
module /usr/lib/snort/modules/oracledb_logger.so

And then they could take advantage of the added functionality by putting
extra options in rulesets, or adding more configuration lines which tell
that module what to do.

Then, the core functionality of snort would be the same, and it wouldn't
require extensive modifications everytime someone wanted to add a feature.
I don't know how feasible this is, or maybe it's already possible...  Just a


-----Original Message-----
From: Dan Hollis [mailto:goemon at ...20...]
Sent: Wednesday, November 29, 2000 5:52 PM
To: Todd Lewis
Cc: Martin Roesch; Snort Users
Subject: Re: [Snort-users] announcement & questions: user space firewall

On Wed, 29 Nov 2000, Todd Lewis wrote:
> On Tue, 28 Nov 2000, Martin Roesch wrote:
> > Ok, this doesn't look like it'd be too terribly hard to implement.  One
> > interesting thing to consider is the interaction that this will have
> > Andrew Baker's multi-level alerts that will be coming out in Snort 1.7.
> Would it be the end of the world if I added this now?  I'm eager to get
> work done.

How about multiple checks per rule, sort of like ipchains where you can
chain rules together. This could cut down on false alarms by allowing more
precise criteria for packet matching.


Snort-users mailing list
Snort-users at lists.sourceforge.net

More information about the Snort-users mailing list