[Snort-devel] Problems developing a detection plugin.

Peteris Krumins newsgroups at ...2117...
Sun Sep 7 08:59:02 EDT 2003


 Hello,

  i am confused how rule detection engine works.

  for example,
  i have a rule:
   alert tcp 1.2.3.4 80 -> $HOME_NET any (mykeyword: mykeyparms)

  'mykeyword' detection engine should do something only on
  packets really coming from 1.2.3.4:80 but after some debugging
  i found out the rule matched any 80 port connections not just from
  1.2.3.4.
  writing another quick 'mykeyword2' detection plugin with only
  a single 'printf' which would print src/dst addresses confirmed
  this.

  but
   alert tcp 1.2.3.4 80 -> $HOME_NET any

  works correctly.
  
  what could cause the rule engine trigger detection plugins if the packet
  is not coming from/going to ip addresses specified in
  rule?

  the only workaround i found the ip/src addresses
  are stored in otn->proto_node->dip/sip so now i just compare
  these w/ actual p->iph->ip_src/ip_dst addresses.
  If they match i do my detection.

  But still, i am curious why rule engine calls plugin
  engine if the rule did not match ip/port?

   
P.Krumins





More information about the Snort-devel mailing list