readme.plugins

This is the snapshot of Snot Latest Rules

Plugin Info
12/5/99
Martin Roesch

Overview:

Snort version 1.5 introduces a major new concept, plugins.  There are two types
of plugin currently available in Snort: detection plugins and preprocessors.
Detection plugins check a single aspect of a packet for a value defined within
a rule and determine if the packet data meets their acceptance criteria.  For
example, the tcp flags detection plugin checks the flags section of TCP packets 
for matches with flag combinations defined in a particular rule.  Detection
plugins may be called multiple times per packet with different arguments.

Preprocessors are only called a single time per packet and may perform highly
complex functions like TCP stream reassembly, IP defragmentation, or HTTP
request normalization.  They can directly manipulate packet data and even call
the detection engine directly with their modified data.  They can perform less
complex tasks like statistics gathering or threshold monitoring as well.



Adding New Plugins to Snort as a User:

Right now, adding a new plugin to Snort is straightforward but requires you to 
edit two files by hand.  The plugin should consist of two files, 
"sp_something.c"/"sp_something.h" for detection plugins, and 
"spp_something.c"/"spp_something.h" for preprocessors.  For detection plugins, 
there are two steps to integrating it with Snort:

1) Edit plugbase.h and insert the line
     #include "sp_something.h"
   into the file with the other "#include" statements.  Save and close the 
   file.

2) Edit the plugbase.c file and in the InitPlugins() function, add the name of 
   the setup function to the list with the other Setup functions.  Save and 
   close the file.

3) Edit the Makefile.am and add the names of the two files to the list of 
   names on the "snort_SOURCES" line.  Save and exit the file.  Run 
   "automake".

All set.  Now recompile Snort and the plugin should be ready to use!  

Adding preprocessors is equally straightforward.  The process is essentially
the same as above:

1) Edit plugbase.h and insert the line
     #include "spp_preproc.h"
   into the file with the other "#include" statements.  Save and close the 
   file.

2) Edit the plugbase.c file and in the InitPreprocessors() function, add the
   name of the setup function to the list with the other Setup functions.  
   Save and close the file.

3) Edit the Makefile.am and add the names of the two files to the list of 
   names on the "snort_SOURCES" line.  Save and exit the file.  Run 
   "automake".

Someday, there will be a nice little program that will do all this work for you!



Writing New Snort Plugins as a Developer:

This process is also pretty straight forward, and the best place to look for 
information on doing these things is at the files in the "templates" directory.
The sp_* files are setup for detection plugins, and the spp_* files refer to 
the preprocessor files.  The main thing to remember once you've got it written 
is to put the proper includes and function calls into plugbase[.c|.h].  I 
should probably flesh out this document more, but I think that the best info
is in the template files.  If you have any questions or comments, don't
hesitate to send me an e-mail!