| Main Archive Page > Month Archives > snort-devel archives |
[Snort-devel] Looking at rule metadata from an output plugin
From: Alan M. Carroll <amc_at_nospam>Date: Thu May 28 2009 - 02:45:00 GMT
To: snort-devel@lists.sourceforge.net
I am working on an output plugin for Snort 2.8.4 and it would be handy to have access to metadata. However, looking at the code it appears that rule metadata that is not used by Snort is discarded and not available.
One approach would be to use some other parser logic to read the rule file, extract the metadata, and then use signature identifiers to match up but that seems a bit redundant, especially for something that is compiled in to Snort, whose parser already fully parses the metadata.
My current plan is to augment ParseMetadata to have a list of name/function pairs. After checking the known metadata keys, if unmatched it would traverse the list comparing the key to the strings. Upon a match, the corresponding function would be called and passed the OptTreeNode, the key, and the value (all of which are in local variables by this point). Then I would add a "RegisterMetadataHandler" function to allow plugins to populate the list.
I am left with three questions:
- Is this a reasonable approach?
- Would anyone else be interested in it, i.e. should I plan on making it robust enough for others to use?
- How should my plugin interact safely with the ds_list member of OptTreeNode? Presumably it needs to get a globally unique index, but how is that done?
Thanks!
Register Now for Creativity and Technology (CaT), June 3rd, NYC. CaT is a gathering of tech-side developers & brand creativity professionals. Meet the minds behind Google Creative Lab, Visual Complexity, Processing, & iPhoneDevCamp as they present alongside digital heavyweights like Barbarian Group, R/GA, & Big Spaceship. http://p.sf.net/sfu/creativitycat-com
Snort-devel mailing list
Snort-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-devel