[Snort-sigs] RE-Announcing sp_perl

From: Brian <bmc(at)snort.org>
Date: Tue May 13 2003 - 09:48:56 EDT

On Sat, May 10, 2003 at 03:48:47AM -0700, Jeff Nathan wrote:
> As described in our CanSecWest/core03 presentation, Advanced IDS, Brian

And now since we've had more eyes on the problem then just ours, the dummy factor kicked in and we've cleaned it up quite a bit.

There are a few major changes in this new version:

• ports are passed as an int. if the packet isn't TCP or UDP, they are set to 0 (snort does this for us). So be smart if you are using ports.
• IPs are passed as an unsigned int. If you want to use the stringified IP, we provide a perl version of inet_ntoa.
• all of the alloc calls have been replaced with SnortAlloc, to make Chris's auditing easier.
• the payload is no longer converted to a string and passed onto the perl stack. perl supports passing a pointer & length, but it wasn't clearly documented.

Since we are no longer stringifying the data before passing it onto the perl stack, sp_perl has gained a HUGE increase in speed.

The updated readme, patches, and presentation are all available on snort.org, here:

   http://www.snort.org/dl/contrib/patches/snort-perl/

-brian

---

Enterprise Linux Forum Conference & Expo, June 4-6, 2003, Santa Clara The only event dedicated to issues related to Linux enterprise solutions www.enterpriselinuxforum.com

---

Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs Received on Tue May 13 10:28:40 2003