Snort 3.0: Actions

[Sancho Panza <sancho () posteo de>]

I am trying to implement a new action type in snort.
For that, I was looking at the source code to see how other action types 
are realised and how this is supposed to work in general.

With the help of some extra debug statements, I found that 
ActionManager::execute is entered when my rule strikes, with a test for 
( s_action ) - which is set in ActionManager::queue. Alas, I've been 
unable get s_action be set.
 From my understanding, this should be set from within 
fpdetect.cc:fpLogOther() - but config-wise, how do I achieve that 
rtn->listhead->action is set for a given rule?
I tried with writing a rule with action type "reject" which leads to an 
invocation of ActionManager::get_action_type() when 
parse_conf.cc:get_rule_type() is called, as the previous call to 
get_action_type() returns RULE_TYPE__NONE.
But then, why is the action type of "reject": RULE_TYPE__DROP ? The list 
head for drop doesnt have the action field set!!!
How is this supposed to work?

Many thanks

Sancho

------------------------------------------------------------------------------
Dive into the World of Parallel Programming. The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net/
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!