You can think of this as a dynamic rule "starter kit", the goal of
which is to make it as simple as possible to implement a dynamic rule.
This one is called DRX, for "Dynamic Rule Example".  You can build DRX,
which is very trivial, and then change it to do what you need.


Here is how to build DRX:

1.  Download the 2.9.1 tarball.  Unpack and build in /path/to/snort/topdir
    (the directory where you run ./configure).  No need to make install.

2.  Download and install this tarball (drx-*.tar.gz) in some other directory.

3.  echo "SNORT=/path/to/snort/topdir" > setup.sh

4.  ./build.sh (see Issue 1 at end)

5.  ./test.sh

There are a number of things that can trip you up so pay special attention to
the following details:

* Unfortunately, Snort doesn't install the development headers required and the
  example in the source tree assumes you work in that source tree.  This example
  can be built outside the Snort source tree and w/o installing Snort.  

* configure.ac ensures that drx is compiled with exactly same options as snort
  by using pkg-config and snort.pc which is built automatically.  If you don't
  do this, key structures may be defined differently in Snort proper and in DRX
  which would result in nasty things like segfaults.

* Snort uses hidden visibility by default for compilers that support it to
  reduce runtime overhead when accessing dynamically loaded modules like DRX.
  This means you must get the visibility correct to get InitializeDetection()
  and LibVersion() etc. exported so Snort can load the module.

* Snort needs a text "stub" rule for each dynamic rule.  Fortunately, it will
  generate them for you.  Look in test.sh to how it does that.


Test output:

drx.c:124: drx eval
drx.c:124: drx eval
drx.c:124: drx eval
drx.c:124: drx eval
drx.c:132: drx toggle
drx.c:138: drx match
4	3	1	1	
drx.c:124: drx eval
drx.c:132: drx toggle
drx.c:124: drx eval
drx.c:132: drx toggle
drx.c:138: drx match
6	3	1	1	
drx.c:124: drx eval
drx.c:132: drx toggle
drx.c:124: drx eval
drx.c:132: drx toggle
drx.c:138: drx match
8	3	1	1	
drx.c:124: drx eval
drx.c:132: drx toggle
drx.c:124: drx eval
drx.c:132: drx toggle
drx.c:138: drx match
10	3	1	1	
drx.c:124: drx eval
drx.c:132: drx toggle
drx.c:124: drx eval
drx.c:132: drx toggle
drx.c:138: drx match
12	3	1	1	
drx.c:124: drx eval
drx.c:132: drx toggle
drx.c:124: drx eval
drx.c:124: drx eval
drx.c:124: drx eval
drx.c:124: drx eval
drx.c:132: drx toggle
drx.c:138: drx match
drx.c:124: drx eval


Next steps:

Just change drx.c to do what you want, but bear in mind:

* If you change the name from drx.c or add other files, you will need to update
  Makefile.am.


Issues:

1. build.sh currently hard defines HAVE_WCHAR_H in config.h.  This is a due
   to a flaw in this tarball's autofoo.  If this isn't true on your system,
   then comment that out of build.sh.  You'll know if it is a problem because
   it will lead to a size mismatch error on startup.

