Snort mailing list archives

snort3 - is there any file_id .lua inspector plugin template to change verdict.

From: Özkan KIRIK via Snort-devel <snort-devel () lists snort org>
Date: Wed, 1 Jun 2022 08:13:12 +0300

Hi,

I'm trying to write a ClamAV plugin for detected files by snort3.
Is there any .lua or .cc plugin example for this ?

If it's possible, I'm thinking to write file_id inspector plugin, scan
file and then set verdict or generate GID / SID event ( like
DetectionEngine::queue_event(DF_GID, DF_SID); ) and block packets with
GID/SID.
Is it the right way? If not, which way do you suggest ?

Thanks & Regards
Özkan.
_______________________________________________
Snort-devel mailing list
Snort-devel () lists snort org
https://lists.snort.org/mailman/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!

Current thread:

snort3 - is there any file_id .lua inspector plugin template to change verdict. Özkan KIRIK via Snort-devel (May 31)