[Snort-devel] fun questions on a friday night

Todd Lewis tlewis at ...120...
Fri Dec 8 23:40:16 EST 2000


Ok, so I was in London this past week and I took a stab at separating
out the packet acquisition engines.  Attached is an initial patch,
complete with README file.  It still needs work.

Right now, the patch includes the separation of all packet acquisition
code into separate paengine modules.  Two modules are implemented:
pcap and netfilter/ipq.  I've grabbed the "-E" command line flag
to allow the user to specify the engine at run time.  This patch is
superficially tested; using pcap will send all packets into snort, while
using netfilter will only send snort those packets which are directed
to userspace by netfilter under Linux 2.4.  No guarantee with regard
to memory leaks or performance under load or anything, but it all seems
straightforward enough.

However, it doesn't do firewalling.  The problem is that the packet
analysis all happens below the packet acquisition loop.  I.e., since
pcap_loop() calls a void packet handling function, and since I am
basically emulating pcap_loop(), I can't get any information back out
of the packet handler.  Since the paengine is where I need to do the
firewalling, this is a problem; the firewall logic needs info from the
lower layer, and there's no way to pass it up.

My initial thinking is that I would like for snort.c:ProcessPacket to be
an int instead of a void and to return the verdict on the packet, i.e.,
to end with "return(p.verdict);".  My qualm about this approach is that
there might be other information that the paengine wants out of the packet
analysis guts of snort, and so a more general solution may be called for.
That more general solution involves breaking down packet handling.
It would probably look something like this in each paengine:

	static void take_action(Packet *p);

	void paengine_main_loop(void (*munge_packet_callback)())
	{
		u_char buf[BUFSIZE];
		Packet p;

		while(get_packet(&buf, sizeof(buf))){
			(*munge_packet_callback)(&buf, &p); /* dependent on packet type */
			process_packet(&p);                 /* global, general for snort */
			take_action(&p);
		}
	}

That way, the paengine has visibility into the Packet struct, which
can be extended to pass around whatever info is needed.

What do people think of these two approaches?

--
Todd Lewis                                       tlewis at ...120...

  God grant me the courage not to give up what I think is right, even
  though I think it is hopeless.          - Admiral Chester W. Nimitz
-------------- next part --------------
A non-text attachment was scrubbed...
Name: snort.paengine.patch.1.bz2
Type: application/octet-stream
Size: 13594 bytes
Desc: 
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20001208/94563dbf/attachment.obj>


More information about the Snort-devel mailing list