[Snort-devel] Question about DAQ in snort 3.0

Russ Combs rcombs at ...402...
Tue Jul 8 12:44:49 EDT 2008


Yes, finish_packet() is used to handle some of the ANALYZER_ACTIONs from
analyze().

On Tue, 2008-07-08 at 22:44 +0800, Jun Xiao wrote:
> Russ,
> 
> In actually, my question is what mechanism is used to notify DAQ the
> detection result of analyzer? you know, we can not return the result
> by the original function  call initiated by DAQ since the function is
> already returned before the analyzer do the analysis.
> 
> So I am asking if finish_packet is for this purpose.
> 
> Thanks,
> Jun
> 
> 
> 2008/7/8, Russ Combs <rcombs at ...402...>:
> > Jun,
> >
> > I'm not sure what you mean.  analyze() is of course executed in the
> > thread of its caller.  The functions in dispatcher.c, where
> > ANALYZER_ACTION is (almost entirely) handled, are executed in either the
> > DAQ thread or the analyzer threads.
> >
> > Are you reading the code or debugging it?  I suggest running it in a
> > debugger to see what is happening.  You might try modifying the dummy
> > analyzer to return different ANALYZER_ACTION values to see what happens
> > in each case.
> >
> > If you find a problem, let me know.
> >
> > Russ
> >
> > On Tue, 2008-07-08 at 13:20 +0800, Jun Xiao wrote:
> > > Russ,
> > >
> > > Thanks for the info.
> > > But I don't think analyze() can really return the ANALYZER_ACTION
> > > result, in actually, it is executed in a different thread than the
> > > caller.
> > >
> > > Thanks,
> > > Jun
> > >
> > > 2008/7/7 Russ Combs <rcombs at ...402...>:
> > > > Jun,
> > > >
> > > > The analyze() function in the analyzer_module_t returns back one of the
> > > > ANALYZER_ACTION values.  See analyzer_api.h for details.
> > > >
> > > > >From the RELEASE.NOTES:  The ipq DAQ has not been compiled or tested.
> > > > If you have any fixes, please send them.  :)
> > > >
> > > > pcap_process_loop() must copy the packet data because in SnortSP the
> > > > packet lifetime is always longer than the callback in which it was
> > > > acquired.  (This differs from Snort except for reassembly in which case
> > > > a copy is also required.)  To avoid the copy, the pcap library would
> > > > have to provide a function that wrote the packet data into a caller
> > > > supplied buffer.
> > > >
> > > > Russ
> > > >
> > > > On Mon, 2008-07-07 at 16:41 +0800, Jun Xiao wrote:
> > > >> I think the mechanism is that the engine will invoke the callback
> > > >> function finish_packet() to tell data source module to take the
> > > >> corresponding action. Is that correct?
> > > >> There is also another question, why need we do a packet copy in dap_pcap.c
> > > >> pcap_process_loop() {
> > > >> ...
> > > >> memcpy(p, data, pkth->caplen);
> > > >> ...
> > > >> }
> > > >> Can we reuse data pointer to reduce the packet copy?
> > > >>
> > > >> Thanks,
> > > >> Jun
> > > >>
> > > >> 2008/7/4 Xiao Jun <xiaojuntime at ...2499...>:
> > > >> > Hi All,
> > > >> >
> > > >> > I am wondering the snort 3.0 beta + iptables (IPS mode) workable or not,
> > > >> > that means how did the engine return back the detection result (for
> > > >> > example, drop or reject) back to data source?
> > > >> >
> > > >> > BTW, at line 147 of daq_ipq.c, "dd.resolution" should be used to
> > > >> > return the detection result, but I even can not find out the
> > > >> > definition for resolution.
> > > >> >
> > > >> > Thanks,
> > > >> > Jun
> > > >> >
> > > >>
> > > >> -------------------------------------------------------------------------
> > > >> Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW!
> > > >> Studies have shown that voting for your favorite open source project,
> > > >> along with a healthy diet, reduces your potential for chronic lameness
> > > >> and boredom. Vote Now at http://www.sourceforge.net/community/cca08
> > > >> _______________________________________________
> > > >> Snort-devel mailing list
> > > >> Snort-devel at lists.sourceforge.net
> > > >> https://lists.sourceforge.net/lists/listinfo/snort-devel
> > > >
> > > >
> >
> >





More information about the Snort-devel mailing list