Re: Developing new IPS action plugin

[Özkan KIRIK via Snort-devel <snort-devel () lists snort org>]

Thank you Russ,

It is just configuring the new action for detection.

For example,

reroute tcp any any -> any any ( msg: "new route test", dst_router_mac:
"11:22:33:44:55:66"; sid: 123 )

or is there any way to pass arguments to newaction?

Thanks


On Sat, May 25, 2019 at 3:57 PM Russ via Snort-devel <
snort-devel () lists snort org> wrote:

> Hmm.  Is your newvar used for detection or just for configuring your
> action?  The goal was to move all action related stuff out of the rule
> body.  You can look at the replace option which works with the reject
> action for probably the closest example but I don't that does what you want.
>
> On 5/24/19 4:24 AM, Özkan KIRIK via Snort-devel wrote:
>
> Hello,
>
> I'm trying to develop a simple ips_action plugin. I need to use arguments
> per rule for action.
>
> newaction tcp any any -> any any ( msg: "new action test", newvar: "abc";
> sid: 123 )
>
> Is it possible to access newvar variable within void
> NewAction::exec(Packet* p) function?
> Or do you suggest another way to pass per rule arguments to action?
>
> Thanks,
> Ozkan
>
> _______________________________________________
> Snort-devel mailing listSnort-devel@lists.snort.orghttps://lists.snort.org/mailman/listinfo/snort-devel
>
> Please visit http://blog.snort.org for the latest news about Snort!
>
>
> _______________________________________________
> Snort-devel mailing list
> Snort-devel () lists snort org
> https://lists.snort.org/mailman/listinfo/snort-devel
>
> Please visit http://blog.snort.org for the latest news about Snort!
_______________________________________________
Snort-devel mailing list
Snort-devel () lists snort org
https://lists.snort.org/mailman/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!