[Snort-devel] Resp/React Firing Problem/Bug

Jeff Nathan jeff at ...835...
Fri Jun 21 12:56:03 EDT 2002


MASM wrote:
> 
> Hi again,
> 
> First of all, thank you for the answer.
> I'm sorry if I insist, I agree with you when you say that the response
> should be on the OTN, but what I see on the code is:
> In rules.h the definition of proto_node on OTN struct is:
> 
>     struct _RuleTreeNode *proto_node; /* ptr to head part... */


Within an OTN, the proto_node pointer points back to the original RTN. 
If you take a look at the paper Marty wrote for LISA, you'll see it is
implemented like a tree.  Each RTN has a pointer right and a pointer
down.  To the right are RTNs and below are OTNs.

> 
> And in rules.c the definition of function AddRspFuncToList:
> 
> void AddRspFuncToList(int (*func) (Packet *, struct _RspFpList *),
> RuleTreeNode * rtn, void *params)
> {
>     RspFpList *idx;     /* index pointer */
> 
> #ifdef DEBUG
>     printf("Adding response to list\n");
> #endif
> 

[...]

Having looked at the code you've pointed out, you are the one who is
correct.  For some as of yet unknown reason, there is a linked list of
function pointers within the RTN for use with active response.  This was
an excellent spot on your part (I wasn't even aware of this).

Within sp_respond is:

AddRspFuncToList(Respond, otn->proto_node, (void *)rd );

The AddRspFuncToList function as you pointed out wants an RTN as it's
second argument.  This was accomplished by passing otn->proto_node.  The
function pointer passed as the first argument as added to the linked
list of function pointers within the RTN.

> And this function has a comment inconsistent with the definition (OTN
> instead of RTN):
> /***************************************************************************
> *
>  *
>  * Function: AddRspFuncToList(int (*func)(), OptTreeNode *)
>  *
>  * Purpose: Adds Response function to OTN
>  *
>  * Arguments: (*func)() => function pointer to the response module
>  *            otn =>  pointer to the current OptTreeNode
>  *
>  * Returns: void function
>  *
> 
> ***************************************************************************/
> 
> I'm almost certain that I'm missing something here, possibly I am not
> understanding the code but I would like to ... Can someone
> explain....Please!
> 

The explanation is that none of us had ever looked at it in depth. 
Implementing the response functions within the RTN was wrong and will be
remedied.  Currently, it turns out the response functions will fire for
every different response on the OTN chain beneath the RTN the response
function is hung off.

So, you've got my attention and I'm working on it now.

The active response functions will be moved to within the OTN.

-Jeff

-- 
http://jeff.wwti.com            (pgp key available)
"Common sense is the collection of prejudices acquired by age eighteen."
- Albert Einstein




More information about the Snort-devel mailing list