Snort mailing list archives
RE-Announcing sp_perl
From: Brian <bmc () snort org>
Date: Tue, 13 May 2003 09:48:56 -0400
On Sat, May 10, 2003 at 03:48:47AM -0700, Jeff Nathan wrote:
As described in our CanSecWest/core03 presentation, Advanced IDS, Brian Caswell and I are proud to present a new detection plugin for Snort: sp_perl. This detection plugin offers users full regular expression matching within a Snort rule as well as runtime execution of perl code.
And now since we've had more eyes on the problem then just ours, the dummy factor kicked in and we've cleaned it up quite a bit. There are a few major changes in this new version: * ports are passed as an int. if the packet isn't TCP or UDP, they are set to 0 (snort does this for us). So be smart if you are using ports. * IPs are passed as an unsigned int. If you want to use the stringified IP, we provide a perl version of inet_ntoa. * all of the alloc calls have been replaced with SnortAlloc, to make Chris's auditing easier. * the payload is no longer converted to a string and passed onto the perl stack. perl supports passing a pointer & length, but it wasn't clearly documented. Since we are no longer stringifying the data before passing it onto the perl stack, sp_perl has gained a HUGE increase in speed. The updated readme, patches, and presentation are all available on snort.org, here: http://www.snort.org/dl/contrib/patches/snort-perl/ -brian ------------------------------------------------------- Enterprise Linux Forum Conference & Expo, June 4-6, 2003, Santa Clara The only event dedicated to issues related to Linux enterprise solutions www.enterpriselinuxforum.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Announcing sp_perl Jeff Nathan (May 10)
- Re: [Snort-sigs] Announcing sp_perl Chris Green (May 12)
- RE-Announcing sp_perl Brian (May 13)