[Snort-devel] Problems developing a detection plugin.
newsgroups at ...2117...
Sun Sep 7 08:59:02 EDT 2003
i am confused how rule detection engine works.
i have a rule:
alert tcp 220.127.116.11 80 -> $HOME_NET any (mykeyword: mykeyparms)
'mykeyword' detection engine should do something only on
packets really coming from 18.104.22.168:80 but after some debugging
i found out the rule matched any 80 port connections not just from
writing another quick 'mykeyword2' detection plugin with only
a single 'printf' which would print src/dst addresses confirmed
alert tcp 22.214.171.124 80 -> $HOME_NET any
what could cause the rule engine trigger detection plugins if the packet
is not coming from/going to ip addresses specified in
the only workaround i found the ip/src addresses
are stored in otn->proto_node->dip/sip so now i just compare
these w/ actual p->iph->ip_src/ip_dst addresses.
If they match i do my detection.
But still, i am curious why rule engine calls plugin
engine if the rule did not match ip/port?
More information about the Snort-devel