[Snort-devel] Session reassembly in a preprocessor

Pietro Ravasio snort at ...1266...
Thu Apr 18 07:18:03 EDT 2002


I'm writing a preprocessor for Snort. I'm trying to integrate a pattern 
recognition based module into snort using its traffic capture and 
decoding facilities. The problem is that I'm going to feed my PR engine 
both with packet "intrinsic" data (hence taken from "Packet" data 
structure) and with "connection" data (stuff like connection duration, 
average SlidingWindow size, and so on...).
For this reason I've got to reassemble TCP/IP streams. I'd like to use 
ReassembleStream4 function (defined in spp_stream4) taking data from 
"Session" (Session *ssn in ReassembleStream4) data structure. The 
problem is that this is a local variable that exists only in 
ReassembleStream4 and in functions called by this one. I think I neither 
can declare ssn as a global variable and then read from this from my 
plugin since its structure is dinamically changed by spp_stream4 code 
threads and for this reason its content might be "unconsistent" (I'd 
need an event generator to tell me when I can read from ssn and when I 
should wait).
I was thinking to call a function of mine passing ssn to it from 
ReassembleStream4 (for example when UpdateSession is called).

What do you suggest?

Please keep in mind that I should access to "session" data in "real 
time", so I can't use data written by DeleteSession: my PR algorithm 
can't wait the end of the session.

I also would like to not to create a "copy" of session reassemblation 
code into my plugin (for computational reasons!)

Pietro Ravasio
"Our real illiteracy is our inability to create"

More information about the Snort-devel mailing list