[Snort-devel] Dynamic preprocessor question - access to Preprocess function
steve.sturges at ...402...
Wed Mar 28 16:51:49 EDT 2007
No, there is no current way to do this using the dynamic preprocessor
API, but it is reasonable as a feature request. I'll add that to
However, not sure when we'll get to adding it -- I can say with
some certainty that it won't appear in the 2.7.0 since the
feature sets are pretty set at this point.
As you're probably aware, with decryption (or gunzip or related
decoding), there will be a pretty significant performance impact
on the throughput when you encounter such a packet.
Vladimir Shcherbakov wrote:
> Hello All,
> I'm working on a SSL decryption Snort preprocessor that would decipher SSL
> traffic and pass the decrypted data back to Snort wrapped as fake network
> packets. Ideally, I'd like the preprocess to work the same way as Snort's
> own stream4 one, but implemented as a dynamic preprocessor to simplify the
> The only problem with this approach is that the dynamic preprocessor API
> only allows sending packets to the detection engine using the
> DynamicPreprocessorData.detect function, while I'd like to be able to send
> the decoded data back to the preprocessors layer so that (decoded) SSL
> traffic can be processed, say, with the stream4 preprocessor before it
> reaches the detection layer.
> Is there any way to do that? If not, does it look like something you (Snort
> developers) could consider as a feature request?
> Thanks in advance,
> Vladimir Shcherbakov
> SSLTech.net - SSL traffic decryption software
> Take Surveys. Earn Cash. Influence the Future of IT
> Join SourceForge.net's Techsay panel and you'll get the chance to share your
> opinions on IT & business topics through brief surveys-and earn cash
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
More information about the Snort-devel