[Snort-devel] DNS protocol plugin
cmg at ...402...
Mon Mar 18 09:20:09 EST 2002
scott campbell <axonpotential at ...398...> writes:
> I have put together a DNS protocol plugin that will
> allow you to write rules based on the content of both
> the header fields and the recursive data structures
> within. The software works and has been more or less
> tested, but should be treated like all alpha code.
> To get it working, please carefully read the
> instructions on the web site - it will be required to
> extend the Packet type in order to have a place to put
> the required data. If someone knows a better way,
> please let me know and I would be more than happy to
> change the design.
For right now, thats the way we have to do it. In snort 2.0, we should
be able to find a better way to do it. We are also going to have to
have a better way to pass streams to higher level TCP decoders.
Noticed that your plugin will register for TCP as well as UDP? Is
> I have code, plugin options and examples of use on the
> Other links on the page go to the DNS preprocessor -
> the two work well together!
Actually thats the first I'd seen that.
/* traffic to and from udp:53 */
if(p->dp != 53 && p->sp != 53)
You're using the dns preprocessor to make sure that dns traffic is
"normal" but ignoring most of the potentially weird traffic.
> Please let me know if anyone actually tests this out
> or feedback you get.
Just coding conventions as we're moving towards them ( and inventing
them :-) )
Just a small note that although we currently use the :# bit syntax for
the Header options, we may have to switch to a macro based approach to
support some of the more broken incantations of GCC.
Also, we're factoring out printfs and fprintfs
Nice documentation, do you mind if we also include that when we accept
Chris Green <cmg at ...402...>
A watched process never cores.
More information about the Snort-devel