[Snort-devel] Dynamic preprocessor question - access to Preprocess function

Vladimir Shcherbakov vladimir at ...2929...
Thu Mar 29 17:04:44 EDT 2007


Hi Steven,

Thank you for your response and your willing to add this request to your 
queue.

> However, not sure when we'll get to adding it -- I can say with
> some certainty that it won't appear in the 2.7.0 since the
> feature sets are pretty set at this point.

Sure, that's fair :) Do you know what is the timeframe of the post-2.7.0 
release?

As an workaround / alternative, we are thinking about making our 
preprocessor "static". However, I am not sure if Snort architecture supports 
3rd-party static preprocessors in terms of public API "contracts", build 
integration and so on. Is there any document available that would describe 
this area?

> As you're probably aware, with decryption (or gunzip or related
> decoding), there will be a pretty significant performance impact
> on the throughput when you encounter such a packet.

You're right. Although, it seems like it's only the assymmetric cryptography 
used in SSL handshake that makes most of the performance impact, and since 
the handshake is only a small part of the overall session traffic, the 
performance impact is not that severe.

Thanks again,
Vladimir

SSLTech.net - SSL traffic decryption software
http://www.ssltech.net
----- Original Message ----- 
From: "Steven Sturges" <steve.sturges at ...402...>
To: "Vladimir Shcherbakov" <vladimir at ...2929...>
Cc: <snort-devel at lists.sourceforge.net>
Sent: Wednesday, March 28, 2007 1:51 PM
Subject: Re: [Snort-devel] Dynamic preprocessor question - access to 
Preprocess function


> Hi Vladimir--
>
> No, there is no current way to do this using the dynamic preprocessor
> API, but it is reasonable as a feature request.  I'll add that to
> our queue...
>
> However, not sure when we'll get to adding it -- I can say with
> some certainty that it won't appear in the 2.7.0 since the
> feature sets are pretty set at this point.
>
> As you're probably aware, with decryption (or gunzip or related
> decoding), there will be a pretty significant performance impact
> on the throughput when you encounter such a packet.
>
> Cheers.
> -steve
>
> Vladimir Shcherbakov wrote:
>> Hello All,
>>
>> I'm working on a SSL decryption Snort preprocessor that would decipher 
>> SSL
>> traffic and pass the decrypted data back to Snort wrapped as fake network
>> packets. Ideally, I'd like the preprocess to work the same way as Snort's
>> own stream4 one, but  implemented as a dynamic preprocessor to simplify 
>> the
>> deployment.
>>
>> The only problem with this approach is that the dynamic preprocessor API
>> only allows sending packets to the detection engine using the
>> DynamicPreprocessorData.detect function, while I'd like to be able to 
>> send
>> the decoded data back to the preprocessors layer so that (decoded) SSL
>> traffic can be processed, say, with the stream4 preprocessor before it
>> reaches the detection layer.
>>
>> Is there any way to do that? If not, does it look like something you 
>> (Snort
>> developers) could consider as a feature request?
>>
>> Thanks in advance,
>>
>> Vladimir Shcherbakov
>>
>> SSLTech.net - SSL traffic decryption software
>> http://www.ssltech.net
>>
>> -------------------------------------------------------------------------
>> Take Surveys. Earn Cash. Influence the Future of IT
>> Join SourceForge.net's Techsay panel and you'll get the chance to share 
>> your
>> opinions on IT & business topics through brief surveys-and earn cash
>> http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
>> _______________________________________________
>> Snort-devel mailing list
>> Snort-devel at lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/snort-devel
>>
>
> 





More information about the Snort-devel mailing list