samhain has a programming interface that allows to add modules written in C. Basically, for each module a structure of type struct mod_type, as defined in sh_modules.h, must be added to the list in sh_modules.c.

This structure contains pointers to initialization, timing, checking, and cleanup functions, as well as information for parsing the configuration file.

For details, in the source code distribution check the files sh_modules.h, sh_modules.c, as well as e.g. utmp.c, utmp.h, which implement a module to monitor login/logout events. There is also a HOWTO written by eircom.net Computer Incident Response Team.