Snort mailing list archives

Re: how to call my own function on snort - Help

From: Ryan Jordan <ryan.jordan () sourcefire com>
Date: Mon, 26 Sep 2011 18:03:04 -0400

Hello ndritsos,

The best way to call your function from a rule is to write a Shared Object
(.so) rule. There are plenty of examples in
src/dynamic-plugins/sf_engine/examples to help you get started.

Some quick steps:

- Create a new .c file in the examples directory
- Declare a Rule struct (defined in
src/dynamic-plugins/sf_engine/sf_snort_plugin_api.h)
- Modify your function to fit the format:
      int myfunction(void *p)
  Where (void *p) can be cast to SFSnortPacket, defined in
src/dynamic-plugins/sf_engine/sf_snort_packet.h
- Set the "evalFunc" member of "Rule" to point to your function
- Modify src/dynamic-plugins/sf_engine/examples/Makefile.am to include your
.c file
- Modify src/dynamic-plugins/sf_engine/examples/rules.c to include a
reference to your Rule object

There's not a whole lot of documentation on writing shared object rules, but
the "Snort Devel" mailing list is a good place to ask questions. Check out
http://www.snort.org/community/mailing-lists/ .

-Ryan

On Mon, Sep 26, 2011 at 5:27 PM, ndritsos <ndritsos () gmail com> wrote:

Hello Guys,

i need your help , i have a function in c :

void   myfunction( seqNUmber, ackNumber , srcIP, dstIP,srcPort,destPort ){

   // here is the code , that is doing something

}


i want to know how can i call this function from a snort rule ,
could you please give me hints / steps that i have to do ?


thank you in advance

ps: iam so sorry for my terribly English

------------------------------------------------------------------------------
All the data continuously generated in your IT infrastructure contains a
definitive record of customers, application performance, security
threats, fraudulent activity and more. Splunk takes this data and makes
sense of it. Business sense. IT sense. Common sense.
http://p.sf.net/sfu/splunk-d2dcopy1

_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!

Current thread:

Re: how to call my own function on snort - Help Ryan Jordan (Sep 26)
- Re: how to call my own function on snort - Help Russ Combs (Sep 27)
- <Possible follow-ups>
- how to call my own function on snort - Help ndritsos (Sep 27)