[Snort-devel] Session reassembly in a preprocessor
cmg at ...402...
Thu Apr 18 07:27:19 EDT 2002
Pietro Ravasio <snort at ...1266...> writes:
> I'm writing a preprocessor for Snort. I'm trying to integrate a
> pattern recognition based module into snort using its traffic capture
> and decoding facilities. The problem is that I'm going to feed my PR
> engine both with packet "intrinsic" data (hence taken from "Packet"
> data structure) and with "connection" data (stuff like connection
> duration, average SlidingWindow size, and so on...).
> For this reason I've got to reassemble TCP/IP streams. I'd like to use
> ReassembleStream4 function (defined in spp_stream4) taking data from
> "Session" (Session *ssn in ReassembleStream4) data structure. The
> problem is that this is a local variable that exists only in
> ReassembleStream4 and in functions called by this one. I think I
> neither can declare ssn as a global variable
Each pkt has
void *ssnptr; /* for tcp session tracking info... */
that should be a pointer back to the tcp session info for that.
It's there so that the orignal packets can be flushed but should also
give you what you want
Chris Green <cmg at ...402...>
"Not everyone holds these truths to be self-evident, so we've worked
up a proof of them as Appendix A." -- Paul Prescod
More information about the Snort-devel