[Snort-devel] Problems developing a detection plugin.

Peteris Krumins newsgroups at ...2117...
Sun Sep 7 08:59:02 EDT 2003


  i am confused how rule detection engine works.

  for example,
  i have a rule:
   alert tcp 80 -> $HOME_NET any (mykeyword: mykeyparms)

  'mykeyword' detection engine should do something only on
  packets really coming from but after some debugging
  i found out the rule matched any 80 port connections not just from
  writing another quick 'mykeyword2' detection plugin with only
  a single 'printf' which would print src/dst addresses confirmed

   alert tcp 80 -> $HOME_NET any

  works correctly.
  what could cause the rule engine trigger detection plugins if the packet
  is not coming from/going to ip addresses specified in

  the only workaround i found the ip/src addresses
  are stored in otn->proto_node->dip/sip so now i just compare
  these w/ actual p->iph->ip_src/ip_dst addresses.
  If they match i do my detection.

  But still, i am curious why rule engine calls plugin
  engine if the rule did not match ip/port?


More information about the Snort-devel mailing list