[Snort-devel] Question about DAQ in snort 3.0

Jun Xiao xiaojuntime at ...2499...
Tue Jul 8 10:44:08 EDT 2008


Russ,

In actually, my question is what mechanism is used to notify DAQ the
detection result of analyzer? you know, we can not return the result
by the original function  call initiated by DAQ since the function is
already returned before the analyzer do the analysis.

So I am asking if finish_packet is for this purpose.

Thanks,
Jun


2008/7/8, Russ Combs <rcombs at ...402...>:
> Jun,
>
> I'm not sure what you mean.  analyze() is of course executed in the
> thread of its caller.  The functions in dispatcher.c, where
> ANALYZER_ACTION is (almost entirely) handled, are executed in either the
> DAQ thread or the analyzer threads.
>
> Are you reading the code or debugging it?  I suggest running it in a
> debugger to see what is happening.  You might try modifying the dummy
> analyzer to return different ANALYZER_ACTION values to see what happens
> in each case.
>
> If you find a problem, let me know.
>
> Russ
>
> On Tue, 2008-07-08 at 13:20 +0800, Jun Xiao wrote:
> > Russ,
> >
> > Thanks for the info.
> > But I don't think analyze() can really return the ANALYZER_ACTION
> > result, in actually, it is executed in a different thread than the
> > caller.
> >
> > Thanks,
> > Jun
> >
> > 2008/7/7 Russ Combs <rcombs at ...402...>:
> > > Jun,
> > >
> > > The analyze() function in the analyzer_module_t returns back one of the
> > > ANALYZER_ACTION values.  See analyzer_api.h for details.
> > >
> > > >From the RELEASE.NOTES:  The ipq DAQ has not been compiled or tested.
> > > If you have any fixes, please send them.  :)
> > >
> > > pcap_process_loop() must copy the packet data because in SnortSP the
> > > packet lifetime is always longer than the callback in which it was
> > > acquired.  (This differs from Snort except for reassembly in which case
> > > a copy is also required.)  To avoid the copy, the pcap library would
> > > have to provide a function that wrote the packet data into a caller
> > > supplied buffer.
> > >
> > > Russ
> > >
> > > On Mon, 2008-07-07 at 16:41 +0800, Jun Xiao wrote:
> > >> I think the mechanism is that the engine will invoke the callback
> > >> function finish_packet() to tell data source module to take the
> > >> corresponding action. Is that correct?
> > >> There is also another question, why need we do a packet copy in dap_pcap.c
> > >> pcap_process_loop() {
> > >> ...
> > >> memcpy(p, data, pkth->caplen);
> > >> ...
> > >> }
> > >> Can we reuse data pointer to reduce the packet copy?
> > >>
> > >> Thanks,
> > >> Jun
> > >>
> > >> 2008/7/4 Xiao Jun <xiaojuntime at ...2499...>:
> > >> > Hi All,
> > >> >
> > >> > I am wondering the snort 3.0 beta + iptables (IPS mode) workable or not,
> > >> > that means how did the engine return back the detection result (for
> > >> > example, drop or reject) back to data source?
> > >> >
> > >> > BTW, at line 147 of daq_ipq.c, "dd.resolution" should be used to
> > >> > return the detection result, but I even can not find out the
> > >> > definition for resolution.
> > >> >
> > >> > Thanks,
> > >> > Jun
> > >> >
> > >>
> > >> -------------------------------------------------------------------------
> > >> Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW!
> > >> Studies have shown that voting for your favorite open source project,
> > >> along with a healthy diet, reduces your potential for chronic lameness
> > >> and boredom. Vote Now at http://www.sourceforge.net/community/cca08
> > >> _______________________________________________
> > >> Snort-devel mailing list
> > >> Snort-devel at lists.sourceforge.net
> > >> https://lists.sourceforge.net/lists/listinfo/snort-devel
> > >
> > >
>
>




More information about the Snort-devel mailing list