[Snort-devel] Packet Flags and preprocessors.....

Stefan Bauer mail at ...1970...
Wed May 7 00:41:20 EDT 2003


Hello Mailinglist.
I'm new to this list and I've got a little problem / question. I'm student for informatics and playing little bit with the source code of snort to develop an own preprocessor for playing. ;-)
I found in the source code the ability to check via the p->preprocessors if the preprocessor will be go through a packet or not. 
This parameter ist set after every preprocessor to the default value of PP_ALL.
An other interessting option is the p->packet_flags variable to set / get more infos about a packet. But I realized that the packet_flags are set to 0 when it comes into the ProcessPacket Routine.
Now I'd like to get all packets that are not defragmented. How can I see this in snort?
The spp_frag2 sets the defrag_packet->packet_flags explicit to PKT_REBUILT_FRAG and sent it to the ProcessPacket(). First action here is setting these flags to zero. Is this normal? How can i get the information in other preprocessors, that the packer is rebuilt?

Hoping for answers...

Stefan





More information about the Snort-devel mailing list