[Snort-devel] any function in Snort to drop packets?

Steven Sturges steve.sturges at ...402...
Mon Oct 22 16:35:32 EDT 2007


You can code the preprocessors to have specific priorities,
as noted in plugbase.h -- add to it as needed.

Then, use the DisableDetect() function to stop inspection
as each preprocessor determines whether the next one in the
chain should inspect...

Thought, I'd also recommend a single preprocessor that handles
the functionality of what you describe as Preprocessors 1/2/3.
That would simply calls DisableDetect() and returns when it
decides that a packet requires no further inspection.

Cheers.
-steve

Jerry Zhang wrote:
> Hi,
> Thanks.
> 
> I think it is necessary for me to run snort in Inline mode for using
> InlineDrop(p), right? But I do not want it run in inline mode.
> 
> I want to organize my preprocessors and the snort detection engine like
> this:
> 
> Preprocessor1 ---> Preprocessor2 ---> Preprocessor3 ----> snort detection
> engine (rule based).
> 
> 1) Preprocessor1 decides which packets should be handled in Preprocessor2,
> 2) Preprocessor2 decides which packets (some out of 1) ) should be handled
> in Preprocessor3,
> 3) Preprocessor 3 decides which packets (some out of 2) ) should be checked
> in snort detection engine.
> 
> To make it work, How can I achieve things below:
> 
> 1) How can I make the preprocessors in order in snort? Say, Preprocessor1
> touch the packet first and then Preprocessor2 and so on.
> 
> 2) After Preprocessor1 decides which packets should be passed to
> Preprocessor2 while others should be dropped, then Preprocessor1 wants to
> drop the packets. How can I make this "drop" action in practice?
> 
> Thanks
> 
> 
> 2007/10/19, Will Metcalf <william.metcalf at ...2499...>:
>> InlineDrop(p);
>>
>> On 10/19/07, Jerry Zhang <jerry3558 at ...2499...> wrote:
>>> Hi
>>>
>>> Is there any function I can use to drop a certain packet in preprocessor
>> in
>>> the snort?
>>>
>>> Thanks
>>> jerry
>>>
>>>
>> -------------------------------------------------------------------------
>>> This SF.net email is sponsored by: Splunk Inc.
>>> Still grepping through log files to find problems?  Stop.
>>> Now Search log events and configuration files using AJAX and a browser.
>>> Download your FREE copy of Splunk now >> http://get.splunk.com/
>>> _______________________________________________
>>> Snort-devel mailing list
>>> Snort-devel at lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/snort-devel
>>>
>>>
> 
> 
> ------------------------------------------------------------------------
> 
> -------------------------------------------------------------------------
> This SF.net email is sponsored by: Splunk Inc.
> Still grepping through log files to find problems?  Stop.
> Now Search log events and configuration files using AJAX and a browser.
> Download your FREE copy of Splunk now >> http://get.splunk.com/
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel




More information about the Snort-devel mailing list