[Snort-devel] Timer in the flows preprocessor

Jay Beale jay at ...2665...
Fri Nov 12 13:00:01 EST 2004


Raymond Pun wrote:
> Hi,
> 
> I have a further question.
> 
> In the snort config, we have specified the home network address, like 
> 192.168.1.0/24.  How can I get that info in my preprocessor? Or is there 
> any function that determine a given ip address is within a home network, 
> something like IsHomeNetworkIP(in_addr *ip_addr)?

Well, the HOME_NETWORK variable seems to be used only by the rules, as a
substitution variable.  Preprocessors that take IP addresses on their
line in the snort.conf file can quote that variable, but the
preprocessor needs to parse those configuration-file IP addresses on
their own.  Snort doesn't store that value internally in a variable.

Now, Snort does keep a pv.homenet variable, which is populated either by
the -h command-line switch or by the ?undocumented? reference_net
snort.conf directive.  The former is handled by snort.c's
ParseCmdLine(), while the latter is handled by parser.c's ParseConfig(),
both of which call GenHomenet() to parse the network and place it in the
global pv.homenet variable. pv holds program variables and is defined in
snort.h's _progvars struct type.

The pv.homenet variable is primarily used for outputing the "direction"
of a packet in sp_session, deciding the output file in spo_log_ascii,
and figuring out which IP addresses to obfuscate in -O mode in
detect.c's ObfuscatePacket().  It's not used in any of the preprocessors
yet.

The preprocessors can access this variable through plugbase.c's
DestinationIpIsHomenet() and SourceIpIsHomenet() routines, which just
tell you if the packet's destination or source IP, respectively, is in
the network defined by pv.homenet.  They could also just use the
variable directly.

  - Jay

PS As I'm reading code here to explain this, please feel free to correct
me if I've missed anything or misunderstood the intent of the
reference_net snort.conf variable.


> 
> many many thanks.
> 
> regards,
> Raymond
> 
> ----- Original Message ----- From: "Jay Beale" <jay at ...2665...>
> To: "Raymond Pun" <raymondpun80 at ...445...>
> Cc: <snort-devel at lists.sourceforge.net>
> Sent: Friday, November 12, 2004 04:17
> Subject: Re: [Snort-devel] Timer in the flows preprocessor
> 
> 
>> Raymond Pun wrote:
>>
>>> Hi,
>>>
>>> There is a parameter for the flow preprocessor that tells the inteveral
>>> for reporting statistic. How the flow preprocessor output to screen
>>> periodically? Is it using somekind of timer? I am not able to find it in
>>> the code. Could someone please point it to me?
>>
>>
>> Well, the interval is set to the default in  FlowInit() and then set to
>> the value written in the config file, if any, by  FlowParseArgs().  They
>> store this in the s_config struct's stats_interval variable.
>>
>> In FlowPreprocessor(), this is used by this code:
>>
>> /* printout some verbose statistics */
>>    if(s_config.stats_interval  &&
>>       ((last_output + s_config.stats_interval) <= p->pkth->ts.tv_sec))
>>    {
>>        last_output =  p->pkth->ts.tv_sec;
>>
>>        if(!pv.quiet_flag)
>>            flowcache_stats(stdout, fcache);
>>    }
>>
>> The code here checks if this packet came in stats_interval or more
>> seconds since the time of the last output.  If it has, it sets
>> last_output to the time of the current packet and calls
>> flowcache_stats() to print statistics.
>>
>> That function is in the flow_cache.c code in the preprocessor/flow
>> directory, which might be confusing you.  The flow and HttpInspect
>> preprocessors get their own directories for most of their code, as its
>> broken up into a number of files.
>>
>> - Jay
>>
>>
>> -------------------------------------------------------
>> This SF.Net email is sponsored by:
>> Sybase ASE Linux Express Edition - download now for FREE
>> LinuxWorld Reader's Choice Award Winner for best database on Linux.
>> http://ads.osdn.com/?ad_id=5588&alloc_id=12065&op=click
>> _______________________________________________
>> Snort-devel mailing list
>> Snort-devel at lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/snort-devel
>>
> 
> 
> -------------------------------------------------------
> This SF.Net email is sponsored by:
> Sybase ASE Linux Express Edition - download now for FREE
> LinuxWorld Reader's Choice Award Winner for best database on Linux.
> http://ads.osdn.com/?ad_id=5588&alloc_id=12065&op=click
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel






More information about the Snort-devel mailing list