Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Developing new IPS action plugin

From: Russ via Snort-devel <snort-devel () lists snort org>
Date: Fri, 24 May 2019 11:31:52 -0400
Hmm.  Is your newvar used for detection or just for configuring your action?  The goal was to move all action related stuff out of the rule body.  You can look at the replace option which works with the reject action for probably the closest example but I don't that does what you want. 

On 5/24/19 4:24 AM, Özkan KIRIK via Snort-devel wrote:

Hello,
I'm trying to develop a simple ips_action plugin. I need to use arguments per rule for action.
newaction tcp any any -> any any ( msg: "new action test", newvar: "abc"; sid: 123 )
Is it possible to access newvar variable within void NewAction::exec(Packet* p) function? 
Or do you suggest another way to pass per rule arguments to action?

Thanks,
Ozkan

_______________________________________________
Snort-devel mailing list
Snort-devel () lists snort org
https://lists.snort.org/mailman/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!



_______________________________________________
Snort-devel mailing list
Snort-devel () lists snort org
https://lists.snort.org/mailman/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: