[Snort-users] modules (was: announcement & questions: user sp ace firewall)

Dan Hollis goemon at ...20...
Wed Nov 29 20:47:56 EST 2000


On Wed, 29 Nov 2000, Austad, Jay wrote:
> I was looking at this and thinking...  How modular is snort?  How hard would
> it be to make it so if someone wanted another feature, they could just load
> the module in the .conf file by putting something like:
> module /usr/lib/snort/modules/firewall_module.so
> module /usr/lib/snort/modules/oracledb_logger.so
> And then they could take advantage of the added functionality by putting
> extra options in rulesets, or adding more configuration lines which tell
> that module what to do.
> Then, the core functionality of snort would be the same, and it wouldn't
> require extensive modifications everytime someone wanted to add a feature.
> I don't know how feasible this is, or maybe it's already possible...  Just a
> thought.

It is feasible, on systems with dlopen(). Straightforward way would be for
snort to scan a directory for shared modules, and then call a registration
routine in each module (eg firewall_module_register(),
oracledb_logger_register()) to register a list of functions, which could
then be chained to rules. This would be especially useful when
functionality for calling multiple actions per rule is added to snort.

-Dan




More information about the Snort-users mailing list