I sent this to Vern, but thought a wider audience might be interested,
or have some answers.
Thanks Vern:
I'm planning on using the snort engine to extend KO (Kazaa
Obliterator). It looks like I could use a policy script like this:
signature kazaa-seen {
ip-proto == tcp
dst-ip == whatever
dst-port == whatever (or omitted, I guess)
payload /.*kazaa regular expression/
eval function_to_execute_when_kazaa_seen
event "kazaa seen"
}
The 'eval' & the 'event' are somewhat confusing. I presume that the
'signature_match' event is triggered with the string for action, but
when is the 'eval' called (before the event, or after), and with what
args? Presumably the connection information is available. I haven't
seen any running examples of the signature event. Do you have some
examples?
Thanks.