[Snort-devel] Re: Problems developing a detection plugin.

Milani Paolo Paolo.Milani at ...866...
Mon Sep 8 15:38:02 EDT 2003


Ok maybe I can help you out, since I had a chance to write a detection plugin myself. 
Your detection function (the one registered by calling AddOptFuncToList() ) is going to be called at some point during the testing of the rule: currently options (such as your mykeyword) are tested before headers (src-dst ip+port) except that thanks to the new (snort2.0) rule optimiser only rules in the correct port group are going to be tested (in your case rules in dst group 80). 

> Is there a way to see in the data available to a
> detection plugin if the rule really matched the packet?
> Without writing enormous extra algorithms?
you can't because the testing (against the rule header) has not been performed yet when your detection plugin gets to work.

If you want to perform some processing only if the rule really matched, you can call AddRspFuncToList. This adds your function to a list of functions that get called after the rule match has occurred, and before alerts are generated.

my 2 cents,
Paolo Milani

Message: 1
Date: Sun, 7 Sep 2003 18:56:26 +0300
From: Peteris Krumins <newsgroups at ...2117...>
Reply-To: Peteris Krumins <newsgroups at ...2117...>
To: snort-devel at lists.sourceforge.net
Subject: [Snort-devel] Problems developing a detection plugin.


 Hello,

  i am confused how rule detection engine works.

  for example,
  i have a rule:
   alert tcp 1.2.3.4 80 -> $HOME_NET any (mykeyword: mykeyparms)

  'mykeyword' detection engine should do something only on
  packets really coming from 1.2.3.4:80 but after some debugging
  i found out the rule matched any 80 port connections not just from
  1.2.3.4.
  writing another quick 'mykeyword2' detection plugin with only
  a single 'printf' which would print src/dst addresses confirmed
  this.

  but
   alert tcp 1.2.3.4 80 -> $HOME_NET any

  works correctly.
  
  what could cause the rule engine trigger detection plugins if the packet
  is not coming from/going to ip addresses specified in
  rule?

  the only workaround i found the ip/src addresses
  are stored in otn->proto_node->dip/sip so now i just compare
  these w/ actual p->iph->ip_src/ip_dst addresses.
  If they match i do my detection.

  But still, i am curious why rule engine calls plugin
  engine if the rule did not match ip/port?

   
P.Krumins



--__--__--

Message: 2
Date: Sun, 7 Sep 2003 22:13:05 +0300
From: Peteris Krumins <newsgroups at ...2117...>
Reply-To: Peteris Krumins <newsgroups at ...2117...>
To: snort-devel at lists.sourceforge.net
Subject: Re: [Snort-devel] Problems developing a detection plugin.

Sunday, September 7, 2003, 6:56:26 PM, you wrote:


PK>  Hello,

[...]

PK>   the only workaround i found the ip/src addresses
PK>   are stored in otn->proto_node->dip/sip so now i just compare
PK>   these w/ actual p->iph->ip_src/ip_dst addresses.
PK>   If they match i do my detection.


 This is not that easy to make it work correctly as i though..

 Is there a way to see in the data available to a
 detection plugin if the rule really matched the packet?
 Without writing enormous extra algorithms?


P.Krumins






====================================================================
CONFIDENTIALITY NOTICE
This message and its attachments are addressed solely to the persons
above and may contain confidential information. If you have received
the message in error, be informed that any use of the content hereof
is prohibited. Please return it immediately to the sender and delete
the message. Should you have any questions, please contact us by
replying to MailAdmin at ...2137... Thank you
====================================================================




More information about the Snort-devel mailing list