[Snort-users] modules (was: announcement & questions: user sp ace firewall)

Dan Hollis goemon at ...20...
Wed Nov 29 20:47:56 EST 2000

On Wed, 29 Nov 2000, Austad, Jay wrote:
> I was looking at this and thinking...  How modular is snort?  How hard would
> it be to make it so if someone wanted another feature, they could just load
> the module in the .conf file by putting something like:
> module /usr/lib/snort/modules/firewall_module.so
> module /usr/lib/snort/modules/oracledb_logger.so
> And then they could take advantage of the added functionality by putting
> extra options in rulesets, or adding more configuration lines which tell
> that module what to do.
> Then, the core functionality of snort would be the same, and it wouldn't
> require extensive modifications everytime someone wanted to add a feature.
> I don't know how feasible this is, or maybe it's already possible...  Just a
> thought.

It is feasible, on systems with dlopen(). Straightforward way would be for
snort to scan a directory for shared modules, and then call a registration
routine in each module (eg firewall_module_register(),
oracledb_logger_register()) to register a list of functions, which could
then be chained to rules. This would be especially useful when
functionality for calling multiple actions per rule is added to snort.


More information about the Snort-users mailing list