[Snort-devel] Where to do the stuff?

Martin Roesch roesch at ...48...
Wed Jan 24 11:45:47 EST 2001


Todd Lewis wrote:
> 
> Ok, I want to use the following syntax:
> 
>   alert icmp any any -> any any (msg:"Misc. ICMP traffic";verdict:"discard";);
> 
> The verdict will be one of "accept", "drop", or "reject", which
> will map to PA_PACKET_VERDICT_ACCEPT, PA_PACKET_VERDICT_DROP,
> PA_PACKET_VERDICT_REJECT.  If no verdict is specified, then the rule
> will be set to PA_PACKET_VERDICT_NO_ACTION.
> 
> I've extended OptTreeNode to include a verdict:
> 
>     int verdict;         /* verdict */
> 
> added into ParseRuleOptions():
> 
>             else if (!strcasecmp(opts[0], "verdict"))
>             {
>                 ParseVerdict(opts[1]);
>             }
> 
> and added this new function:
> 
> void ParseVerdict(char *verdict)
> {
>     if(!(strcmp(verdict, "accept"))){
>         otn_tmp->verdict = PA_PACKET_VERDICT_ACCEPT;
>     } else if(!(strcmp(verdict, "drop"))){
>         otn_tmp->verdict = PA_PACKET_VERDICT_DROP;
>     } else if(!(strcmp(verdict, "reject"))){
>         otn_tmp->verdict = PA_PACKET_VERDICT_REJECT;
>     } else {
>         ErrorMessage( "ERROR %s (%d): bad alert message size %d\n",
> file_name, file_line, size);
>     }
> }

Please use strncmp() (actually, you should use strncasecmp()), people
send me nasty emails when the search for "overflows" in the Snort source
and see things like sprintf and strcmp and strcpy.

> The only thing left to do is really easy.  When a packet matches a
> rule, I need to do this:
> 
>         if(otn->verdict!=PA_PACKET_VERDICT_NO_ACTION)
>                 P->verdict=otn->verdict;
> 
> My question is, where do I do this?  rules.c:Detect()?
> rules.c:EvalHeader()?  rules.c:EvalOpts()?  I don't really understand
> what is going on in this part of snort; laziness being a virtue, I would
> appreciate if someone could give me a little guidance.

Put it in rules.c:EvalOpts() in the last "else" section, that's the code
that gets called when a OTN has a successful match (hmm, someone should
comment that... ;).  Here's the code block I'm talking about:

    else
    {
        /* rule match actions are called from EvalHeader */
        otn_tmp = List;
        return 1;
    }


     -Marty

--
Martin Roesch
roesch at ...48...
http://www.snort.org




More information about the Snort-devel mailing list