[Snort-devel] Question about DAQ in snort 3.0

Russ Combs rcombs at ...402...
Mon Jul 7 08:49:29 EDT 2008


Jun,

The analyze() function in the analyzer_module_t returns back one of the
ANALYZER_ACTION values.  See analyzer_api.h for details.

>From the RELEASE.NOTES:  The ipq DAQ has not been compiled or tested.
If you have any fixes, please send them.  :)

pcap_process_loop() must copy the packet data because in SnortSP the
packet lifetime is always longer than the callback in which it was
acquired.  (This differs from Snort except for reassembly in which case
a copy is also required.)  To avoid the copy, the pcap library would
have to provide a function that wrote the packet data into a caller
supplied buffer.

Russ

On Mon, 2008-07-07 at 16:41 +0800, Jun Xiao wrote:
> I think the mechanism is that the engine will invoke the callback
> function finish_packet() to tell data source module to take the
> corresponding action. Is that correct?
> There is also another question, why need we do a packet copy in dap_pcap.c
> pcap_process_loop() {
> ...
> memcpy(p, data, pkth->caplen);
> ...
> }
> Can we reuse data pointer to reduce the packet copy?
> 
> Thanks,
> Jun
> 
> 2008/7/4 Xiao Jun <xiaojuntime at ...2499...>:
> > Hi All,
> >
> > I am wondering the snort 3.0 beta + iptables (IPS mode) workable or not,
> > that means how did the engine return back the detection result (for
> > example, drop or reject) back to data source?
> >
> > BTW, at line 147 of daq_ipq.c, "dd.resolution" should be used to
> > return the detection result, but I even can not find out the
> > definition for resolution.
> >
> > Thanks,
> > Jun
> >
> 
> -------------------------------------------------------------------------
> Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW!
> Studies have shown that voting for your favorite open source project,
> along with a healthy diet, reduces your potential for chronic lameness
> and boredom. Vote Now at http://www.sourceforge.net/community/cca08
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel





More information about the Snort-devel mailing list