the de facto standard in IPS  
Got Source? About Snort About Sourcefire Snort FAQ
Sourcefire Network Security - the creators of Snort
Snort News Snort Downloads Snort Rules Snort Docs Snort Training Snort Forums Snort Community Snort Store
Search Site
Search Rules
Account
email
password
not registered?
can't login?
user preferences
chap3.html
PREVIOUS HEAD

Chapter 3
Snort Development

Currently, this chapter is here as a place holder. It will someday contain references on how to create new detection plugins and preprocessors. End users don't really need to be reading this section. This is intended to help developers get a basic understanding of whats going on quickly.

If you are going to be helping out with snort development, please use the HEAD branch of CVS. We've had problems in the past of people submitting patches only to the stable branch ( since they are likely writing this stuff for their own IDS purposes ). Bugfixes are what goes into STABLE. Features go into HEAD.

3.1  Submitting Patches

Patches to snort should be sent to the snort-devel@lists.sourceforge.net mailing list and CC'd to cmg@snort.org with a subject of Patch: <subject>.

If the patch is less than 20K in size, please do not gzip it. Patches should done with the command diff -Nu snort-orig snort-new.

3.2  Snort Dataflow

First, traffic is acquired from the network link via libpcap. Packets are passed through a series of decoder routines that first fill out the Packet structure for link level protocols then are further decoded for things like TCP and UDP ports.

Packets are then sent through the registered set of preprocessors. Each preprocessor checks to see if this packet is something it should look at.

Packets are then sent through the detection engine. The detection engine checks each packet against the various options listed in the snort rules files. Each of the keyword options is a plugin. This allows this to be easily extensible.

3.2.1  Preprocessors

For example, a tcp analysis preprocessor could simply return if the packet does not have a TCP header. It can do this by checking 

if (p->tcph==NULL)
   return;
Similarly, there are a lot of packet_flags available that can be used to mark a packet as ``reassembled'' or logged. Check out src/decode.h for the list of PKT_* constants.

3.2.2  Detection Plugins

Basically, look at an existing output plugin and copy it to a new item and change a few things. Later, we'll document what these few things are.

3.2.3  Output Plugins

Generally, new output plugins should go into the barnyard project rather than the snort project. We are currently cleaning house on the available output options.

NEXT HEAD
site feedback | Terms of Use | Privacy Policy | forum archives ©2007 Snort and Sourcefire are registered trademarks of Sourcefire, Inc. All rights reserved.