Snort mailing list archives
Re: Developing new IPS action plugin
From: Özkan KIRIK via Snort-devel <snort-devel () lists snort org>
Date: Mon, 27 May 2019 17:15:26 +0300
It's type err. It is just configuring the new action. On Mon, May 27, 2019 at 5:11 PM Özkan KIRIK <ozkan.kirik () gmail com> wrote:
Thank you Russ, It is just configuring the new action for detection. For example, reroute tcp any any -> any any ( msg: "new route test", dst_router_mac: "11:22:33:44:55:66"; sid: 123 ) or is there any way to pass arguments to newaction? Thanks On Sat, May 25, 2019 at 3:57 PM Russ via Snort-devel < snort-devel () lists snort org> wrote:Hmm. Is your newvar used for detection or just for configuring your action? The goal was to move all action related stuff out of the rule body. You can look at the replace option which works with the reject action for probably the closest example but I don't that does what you want. On 5/24/19 4:24 AM, Özkan KIRIK via Snort-devel wrote: Hello, I'm trying to develop a simple ips_action plugin. I need to use arguments per rule for action. newaction tcp any any -> any any ( msg: "new action test", newvar: "abc"; sid: 123 ) Is it possible to access newvar variable within void NewAction::exec(Packet* p) function? Or do you suggest another way to pass per rule arguments to action? Thanks, Ozkan _______________________________________________ Snort-devel mailing listSnort-devel@lists.snort.orghttps://lists.snort.org/mailman/listinfo/snort-devel Please visit http://blog.snort.org for the latest news about Snort! _______________________________________________ Snort-devel mailing list Snort-devel () lists snort org https://lists.snort.org/mailman/listinfo/snort-devel Please visit http://blog.snort.org for the latest news about Snort!
_______________________________________________ Snort-devel mailing list Snort-devel () lists snort org https://lists.snort.org/mailman/listinfo/snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Developing new IPS action plugin Özkan KIRIK via Snort-devel (May 24)
- Re: Developing new IPS action plugin Russ via Snort-devel (May 25)
- Re: Developing new IPS action plugin Özkan KIRIK via Snort-devel (May 28)
- Re: Developing new IPS action plugin Özkan KIRIK via Snort-devel (May 28)
- Re: Developing new IPS action plugin Özkan KIRIK via Snort-devel (May 28)
- Re: Developing new IPS action plugin Russ via Snort-devel (May 25)