[Snort-devel] Trying to develope a preprocesso

Jay Beale jay at ...2665...
Thu Nov 11 13:52:01 EST 2004


Raymond Pun wrote:
> Hi,
> 
> I would like to develop a preprocessor, and therefore I am trying to
> familiar myself with snort and some other preprocessor.
> 
> I try to understand the telnet negotiation preprocessor but I have some
> doubts. I guess what the preprocessor is trying to do is replacing some
> characters in the data. But I am not quite understand what is
> "DecodeBuffer".  When data is written on DecodeBuffer, what will happen?
> Will it be written into p->data eventually? Is DecodeBuffer a general 
> buffer
> that will be used to replace p->data?

It's actually creating an alternate decoding of the data where telnet
control sequences are removed.  The alternate decode of the packet data
is placed in DecodeBuffer.  The preprocessor signals that there's an
alternate decode of the data by setting the PKT_ALT_DECODE bit in that
packet's p->packet_flags.

What's being removed is the telnet escape sequences that negotiate
capabilities of the terminal.  You can read about this in RFC 854,
http://www.faqs.org/rfcs/rfc854.html.

This alternate decoding doesn't change the original data in p->data,
allowing Snort to have signatures that might catch anomalies or attacks
in that data by looking at p->data, while also have a normalized data
stream to inspect in DecodeBuffer.  Having that normalized data makes it
easier/possible to do string matching attack patterns against data
without telnet escape sequences throwing off the string matching.

   - Jay

> Besides, could someone teach me how to generate an alert and how to 
> printout
> message to console if snort is run with sth like "snort -dev -A fast" ?
> 
> Many many thanks.
> 
> regards,
> Raymond
> 
> 
> -------------------------------------------------------
> This SF.Net email is sponsored by:
> Sybase ASE Linux Express Edition - download now for FREE
> LinuxWorld Reader's Choice Award Winner for best database on Linux.
> http://ads.osdn.com/?ad_id=5588&alloc_id=12065&op=click
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel





More information about the Snort-devel mailing list