[Snort-devel] Session reassembly in a preprocessor

Chris Green cmg at ...402...
Thu Apr 18 07:27:19 EDT 2002


Pietro Ravasio <snort at ...1266...> writes:

> Hi,
>
> I'm writing a preprocessor for Snort. I'm trying to integrate a
> pattern recognition based module into snort using its traffic capture
> and decoding facilities. The problem is that I'm going to feed my PR
> engine both with packet "intrinsic" data (hence taken from "Packet"
> data structure) and with "connection" data (stuff like connection
> duration, average SlidingWindow size, and so on...).
> For this reason I've got to reassemble TCP/IP streams. I'd like to use
> ReassembleStream4 function (defined in spp_stream4) taking data from
> "Session" (Session *ssn in ReassembleStream4) data structure. The
> problem is that this is a local variable that exists only in
> ReassembleStream4 and in functions called by this one. I think I
> neither can declare ssn as a global variable

Each pkt has 

void *ssnptr;      /* for tcp session tracking info... */

that should be a pointer back to the tcp session info for that.

It's there so that the orignal packets can be flushed but should also
give you what you want
-- 
Chris Green <cmg at ...402...>
 "Not everyone holds these truths to be self-evident, so we've worked
                  up a proof of them as Appendix A." --  Paul Prescod





More information about the Snort-devel mailing list