[Snort-devel] Session reassembly in a preprocessor
snort at ...1266...
Thu Apr 18 07:18:03 EDT 2002
I'm writing a preprocessor for Snort. I'm trying to integrate a pattern
recognition based module into snort using its traffic capture and
decoding facilities. The problem is that I'm going to feed my PR engine
both with packet "intrinsic" data (hence taken from "Packet" data
structure) and with "connection" data (stuff like connection duration,
average SlidingWindow size, and so on...).
For this reason I've got to reassemble TCP/IP streams. I'd like to use
ReassembleStream4 function (defined in spp_stream4) taking data from
"Session" (Session *ssn in ReassembleStream4) data structure. The
problem is that this is a local variable that exists only in
ReassembleStream4 and in functions called by this one. I think I neither
can declare ssn as a global variable and then read from this from my
plugin since its structure is dinamically changed by spp_stream4 code
threads and for this reason its content might be "unconsistent" (I'd
need an event generator to tell me when I can read from ssn and when I
I was thinking to call a function of mine passing ssn to it from
ReassembleStream4 (for example when UpdateSession is called).
What do you suggest?
Please keep in mind that I should access to "session" data in "real
time", so I can't use data written by DeleteSession: my PR algorithm
can't wait the end of the session.
I also would like to not to create a "copy" of session reassemblation
code into my plugin (for computational reasons!)
"Our real illiteracy is our inability to create"
More information about the Snort-devel