[Snort-devel] Problem trying to generate full packet dumps from preprocessors in snort-1.8.7 betas.

Andreas Östling andreaso at ...387...
Fri May 31 13:13:04 EDT 2002


I was playing around with a simple preprocessor using snort-1.8.7beta6
and could not manage to generate alerts with full packet dumps from it.
Generating alerts is no problem. The alerts show up in the alert file but
that's it (yes, I'm using -d). No dirs created, and when in binary logging
mode the binary log stays empty even though alerts are being generated.
(When using a regular test rule, alerts including full dumps are being
generated for it just as expected. Only the preprocessor is a problem.)

After creating event and logmsg, I call:

CallAlertFuncs(p, logmsg, NULL, &event);
CallLogFuncs(p, logmsg, NULL, &event);

Shouldn't that be enough? (p is the usual Packet pointer (which isn't
NULL))

I then tried the preprocessor with 1.8.6 (and also 1.9-dev) with the
same configuration and everything worked like a charm. I suddenly got
alerts and packet dumps just as I wanted. A quick test with the other
preprocessors (stream4, unidecode etc) gives the same result; in 1.8.6
they generate alerts with full packet dumps but in 1.8.7 there are only
alerts.

So, is the behaviour different in 1.8.7 or is it a bug, or did I simply
miss something?

Perhaps I should have digged a little deeper into this but I though I'd
throw out the question in case I've missed something obvious.

/Andreas





More information about the Snort-devel mailing list