Snort mailing list archives

Re: Snort++: enum "RuleOptType"

From: Russ <rucombs () cisco com>
Date: Mon, 23 Mar 2015 08:25:58 -0400



On 3/23/15 7:55 AM, Sancho Panza wrote:

Hello

I have noticed that IPS options register themselves with Snort by
providing their RuleOptType, either of

OPT_TYPE_LOGGING,
OPT_TYPE_DETECTION,
OPT_TYPE_META

I was trying to find out what are the exact implications of registering
one type or the other. The only place in the source that I was able to
find is in IpsManager::option_end ( ips_manager.cc), where it only makes
a difference if you provide OPT_TYPE_META or any other:

if ( ! ips )
      return (ruleOptType == OPT_TYPE_META);

In parse_rule_opt_end (parse_rule.cc) it also only makes a difference if
you provide OPT_TYPE_META.

So it looks to me like it really makes no difference at all to use
OPT_TYPE_LOGGING or OPT_TYPE_DETECTION, is that right?

Why is a distinction made between these two? Am I missing something?

Just use detection or meta.  Logging will likely disappear in a later 
version and this may be replaced with a bool.


Thanks

Sancho

------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the
conversation now. http://goparallel.sourceforge.net/
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!



------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the 
conversation now. http://goparallel.sourceforge.net/
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!

Current thread:

Snort++: enum "RuleOptType" Sancho Panza (Mar 23)
- Re: Snort++: enum "RuleOptType" Russ (Mar 23)