[Snort-users] RE-Announcing sp_perl
bmc at ...950...
Tue May 13 06:45:09 EDT 2003
On Sat, May 10, 2003 at 03:48:47AM -0700, Jeff Nathan wrote:
> As described in our CanSecWest/core03 presentation, Advanced IDS, Brian
> Caswell and I are proud to present a new detection plugin for Snort:
> sp_perl. This detection plugin offers users full regular expression
> matching within a Snort rule as well as runtime execution of perl code.
And now since we've had more eyes on the problem then just ours, the
dummy factor kicked in and we've cleaned it up quite a bit.
There are a few major changes in this new version:
* ports are passed as an int. if the packet isn't TCP or UDP, they
are set to 0 (snort does this for us). So be smart if you are
* IPs are passed as an unsigned int. If you want to use the
stringified IP, we provide a perl version of inet_ntoa.
* all of the alloc calls have been replaced with SnortAlloc, to make
Chris's auditing easier.
* the payload is no longer converted to a string and passed onto the
perl stack. perl supports passing a pointer & length, but it wasn't
Since we are no longer stringifying the data before passing it onto
the perl stack, sp_perl has gained a HUGE increase in speed.
The updated readme, patches, and presentation are all available on
More information about the Snort-users