DEF CON 16 - Ben Feinstein: Snort Plug-in Development: Teaching an Old Pig New Tricks

DEF CON 16 - Ben Feinstein: Snort Plug-in Development: Teaching an Old Pig New Tricks Snort has become a standard component of many IT security environments. Snort is mature and widely deployed, and is no longer viewed as new or exciting by the industry. However, with such widespread deployment, enhancing Snort's capabilities offers the potential for a large and immediate impact. Instead of chasing the industry's new-hotness of the day, it frequently makes more sense to add new capabilities to an existing security control. With this in mind, the author set out to implement new and innovative capabilities in the form of GPL-licensed Snort plug-ins. The author will introduce the Snort plug-in architecture and the relevant APIs used when implementing extensions to Snort. Lessons learned and pitfalls to avoid when developing Snort plug-ins will be covered. Some interesting code snippets will be discussed. Ideas for future work in the area of Snort extensions will be presented. Ben Feinstein is a researcher on the Counter Threat Unit (CTU) at SecureWorks, working behind the scenes to support Agent Jack Bauer and the GWOT. He first became involved with information security in 2000 while working on a DARPA / USAF contract instead of going to his college classes. Since then, Ben has worked designing and implementing security-related software and appliances at a series of since acquired or failed start-ups. In his spare time Ben authored RFC 4765 and RFC 4767. His experience is in the areas of IDS/IPS, digital forensics, next-gen firewall systems, log analysis and viz, secure messaging, security appliances, small caliber arms and right-wing rhetoric. Ben has presented at Black Hat USA, DEFCON, ACSAC and others. For copies of the slides and additional materials please see the DEF CON 16 Archive here: https://defcon.org/html/links/dc-archives/dc-16-archive.html

Added 20 May 2026