I'm trying to implement a custom search engine plugin for snort3. For now, I'm just trying to mimic the behavior of the snort3_extra example (lowmem).
However, I hit a roadblock. The inherited _search function has a side effect happening inside of it. I have narrowed it down to the call to the MpseMatch function in snort3_extra/src/search_engines/lowmem/sfksearch.cc:
if (match (pk->user, pk->rule_option_tree, index, context, pk->neg_list) > 0)
The MpseMatch function has the following signature, and is defined in snort3/src/search_engines/search_common.h:
typedef int (* MpseMatch)(void* user, void* tree, int index, void* context, void* list);
Since lowmem doesn't implement its own version of MpseMatch, it has to use the default version. I wasn't able to figure out where it resides. Please help.
Also, where can I find a good documentation source for snort3_extra? The best one I could find is this one, but it seems auto-generated.
Thank you!