[Snort-devel] DNS protocol plugin

Chris Green cmg at ...402...
Mon Mar 18 09:20:09 EST 2002

scott campbell <axonpotential at ...398...> writes:

> I have put together a DNS protocol plugin that will
> allow you to write rules based on the content of both
> the header fields and the recursive data structures
> within.  The software works and has been more or less
> tested, but should be treated like all alpha code.
> To get it working, please carefully read the
> instructions on the web site - it will be required to
> extend the Packet type in order to have a place to put
> the required data.  If someone knows a better way,
> please let me know and I would be more than happy to
> change the design.

For right now, thats the way we have to do it. In snort 2.0, we should
be able to find a better way to do it.  We are also going to have to
have a better way to pass streams to higher level TCP decoders.

Noticed that your plugin will register for TCP as well as UDP?  Is
this intended?

> I have code, plugin options and examples of use on the
> page:
> http://www.geocities.com/axonpotential/snort/#DNS_PLUG
> Other links on the page go to the DNS preprocessor -
> the two work well together!

Actually thats the first I'd seen that.

	/* traffic to and from udp:53 */
	if(p->dp != 53 && p->sp != 53)

You're using the dns preprocessor to make sure that dns traffic is
"normal" but ignoring most of the potentially weird traffic.

> Please let me know if anyone actually tests this out
> or feedback you get.

Just coding conventions as we're moving towards them ( and inventing
them :-) )

Just a small note that although we currently use the :# bit syntax for
the Header options, we may have to switch to a macro based approach to
support some of the more broken incantations of GCC.

Also, we're factoring out printfs and fprintfs

#ifdef DEBUG


  DebugMessage(DEBUG_PLUGIN, ...)

Nice documentation, do you mind if we also include that when we accept

Chris Green <cmg at ...402...>
A watched process never cores.

More information about the Snort-devel mailing list