RE-Announcing sp_perl

[Brian <bmc () snort org>]

On Sat, May 10, 2003 at 03:48:47AM -0700, Jeff Nathan wrote:
> As described in our CanSecWest/core03 presentation, Advanced IDS, Brian 
> Caswell and I are proud to present a new detection plugin for Snort: 
> sp_perl.  This detection plugin offers users full regular expression 
> matching within a Snort rule as well as runtime execution of perl code.

And now since we've had more eyes on the problem then just ours, the
dummy factor kicked in and we've cleaned it up quite a bit.

There are a few major changes in this new version:

* ports are passed as an int.  if the packet isn't TCP or UDP, they
  are set to 0 (snort does this for us).  So be smart if you are
  using ports.

* IPs are passed as an unsigned int.  If you want to use the
  stringified IP, we provide a perl version of inet_ntoa.  

* all of the alloc calls have been replaced with SnortAlloc, to make
  Chris's auditing easier.

* the payload is no longer converted to a string and passed onto the
  perl stack.  perl supports passing a pointer & length, but it wasn't
  clearly documented.  

Since we are no longer stringifying the data before passing it onto
the perl stack, sp_perl has gained a HUGE increase in speed.

The updated readme, patches, and presentation are all available on
snort.org, here:

   http://www.snort.org/dl/contrib/patches/snort-perl/

-brian


-------------------------------------------------------
Enterprise Linux Forum Conference & Expo, June 4-6, 2003, Santa Clara
The only event dedicated to issues related to Linux enterprise solutions
www.enterpriselinuxforum.com

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users