[Snort-devel] Dynamic preprocessor question - access to Preprocess function

Steven Sturges steve.sturges at ...402...
Wed Mar 28 16:51:49 EDT 2007


Hi Vladimir--

No, there is no current way to do this using the dynamic preprocessor
API, but it is reasonable as a feature request.  I'll add that to
our queue...

However, not sure when we'll get to adding it -- I can say with
some certainty that it won't appear in the 2.7.0 since the
feature sets are pretty set at this point.

As you're probably aware, with decryption (or gunzip or related
decoding), there will be a pretty significant performance impact
on the throughput when you encounter such a packet.

Cheers.
-steve

Vladimir Shcherbakov wrote:
> Hello All,
> 
> I'm working on a SSL decryption Snort preprocessor that would decipher SSL
> traffic and pass the decrypted data back to Snort wrapped as fake network
> packets. Ideally, I'd like the preprocess to work the same way as Snort's
> own stream4 one, but  implemented as a dynamic preprocessor to simplify the
> deployment.
> 
> The only problem with this approach is that the dynamic preprocessor API
> only allows sending packets to the detection engine using the
> DynamicPreprocessorData.detect function, while I'd like to be able to send
> the decoded data back to the preprocessors layer so that (decoded) SSL
> traffic can be processed, say, with the stream4 preprocessor before it
> reaches the detection layer.
> 
> Is there any way to do that? If not, does it look like something you (Snort
> developers) could consider as a feature request?
> 
> Thanks in advance,
> 
> Vladimir Shcherbakov
> 
> SSLTech.net - SSL traffic decryption software
> http://www.ssltech.net
> 
> -------------------------------------------------------------------------
> Take Surveys. Earn Cash. Influence the Future of IT
> Join SourceForge.net's Techsay panel and you'll get the chance to share your
> opinions on IT & business topics through brief surveys-and earn cash
> http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
> 





More information about the Snort-devel mailing list