Problem
None of these preprocessors do what I want. How do I write my own?
Solution
Actually, this really depends on what you are trying to accomplish with your new preprocessor. Are you trying to create an application decoder to pass plain text data back the rules engine for analysis? Are you trying to create an anomaly detection tool out of nonstandard rules?
Discussion
For a really long, hard look at how to create your own preprocessor, see Jay Beale's entire chapter on the subject in the Snort 2.1 book from Syngress Publishing.
See Also
Beale, Jay. Snort 2.1 Intrusion Detection. Rockland, MA: Syngress, 2004.
Snort-devel mailing list
Administrative Tools |
Installing Snort from Source on Unix
Logging to a File Quickly
How to Build Rules
Detecting Stateless Attacks and Stream Reassembly
Managing Snort Sensors
Generating Statistical Output from Snort Logs
Monitoring Network Performance
Index