OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: [snort] output plugins
From: Martin Roesch (roeschhiverworld.com)
Date: Tue Mar 07 2000 - 00:37:22 CST

Ok, a quickie update on the status of the output plugin system. I have
restored what I believe to be sanity to the system. Snort now
automatically selects the proper output facilities (plugins or command
line overrides) at run-time and links them to the proper function
pointer (LogFunc or AlertFunc). This makes using the output plugin
system completely transparent to the plugin author, while maintaining
the consistent internal interface to the output mechanisms that Snort
has always had.

This gets rid of the stupid errors that we were seeing with things like
the output syslog alert module. The only burden at all under this new
system is placed upon the plugin authors: output plugins much now
indicate their type (log or alert) in the calls to
RegisterOutputPlugin() and AddFuncToOutputList(). All in all, I think
it's worked out rather well considering the mess it was...

As for the suggestion that we have multiple alerting facilities that can
be configured at runtime through the rules file, I like the idea, but
I'm going to have to whiteboard out a way to fit it into the current
architecture of Snort. One thing I want to *avoid* is changing the rule
formats. Everyone likes, understands, and is used to [alert|log|pass],
so I'd like to keep that if at all possible.

I'm going to be uploading beta 11 to the web and CVS servers shortly, so
you guys can check out the new stuff in a few minutes.... 

-- 
Martin Roesch                      <roeschhiverworld.com>
Director of Forensic Systems     http://www.hiverworld.com
Hiverworld, Inc.               Enterprise Network Security
Network Forensics, Intrusion Detection and Risk Assessment