[Snort-devel] Help Developing Snort "Hello World" Dynamic Preprocessor

Russ Combs rcombs at ...402...
Mon Aug 16 10:33:51 EDT 2010


Hi Fuat,

Rolling your own dynamic preprocessor is not as easy as it could be.  I'm
putting a blog post together to remedy that.

In the mean time, here are some pointers:

* ensure the dpp is compiled with exactly same options as snort
* ensure visibility is correct to get InitializePreprocessor() and
LibVersion() exported
* use DebugMessage() instead of _dpd.debugMsg() so file and line are set
correctly
* use the SNORT_DEBUG environment variable to get helpful output

And be sure to add the preprocessor config to your snort.conf!

Russ

On Sat, Jul 31, 2010 at 2:35 AM, Fuat Yosanto <
mbahe_suro at ...3099...> wrote:

> Hi all,
>
> Actually I have a problem when creating my own dynamic-preprocessor.
> (See my previous email with subject : Linking custom dynamic-preprocessor)
> Seems like my dynamic-preprocessor hasn't been executed by Snort (loaded
> successfully but didn't work).
> I can't figure out what's wrong with it. May be something is missing.
> I have tried modifying Snort dynamic-preprocessor example to do same
> process with my dynamic-preprocessor.
> It works, but I can't satisfy my needs, because of its directory
> position, and naming problem.
>
> So to understand what are the minimum requirements to build
> dynamic-preprocessor,
> I am looking for a basic example code like "hello world" Snort
> dynamic-preprocessor.
>
> Here, I have created the prototype of "hello world" Snort
> dynamic-preprocessor.
> The idea is simple, it will log message when it finds any kind of packet.
> Additionally it can identify TCP, UDP, and ICMP packet.
>
> Assume that we have done any setup things to integrate this
> dynamic-preprocessor in Snort sources
> such as editing generators.h, preprocids.h, Makefile.am, re-running
> autotools, etc.
>
> These are the sources :
> Directory : src/dynamic-preprocessor/hello
>
> ========================
> File name : spp_hello.c
> ========================
> #include "preprocids.h"
> #include "sf_snort_packet.h"
> #include "sf_dynamic_preprocessor.h"
> #include "sf_dynamic_preproc_lib.h"
> #include "sf_snort_plugin_api.h"
> #include "sfPolicy.h"
> #include "sfPolicyUserData.h"
>
> #define GENERATOR_SPP_HELLO                    230
>
> extern DynamicPreprocessorData _dpd;
>
> static void HelloInit(char *);
> static void HelloProcess(void *, void *);
>
> void HelloSetup()
> {
>    _dpd.registerPreproc("hello", HelloInit);
> }
>
> static void HelloInit(char *args)
> {
>    _dpd.addPreproc(HelloProcess, PRIORITY_TRANSPORT, PP_HELLO,
> PROTO_BIT__TCP | PROTO_BIT__UDP | PROTO_BIT__ICMP);
> }
>
> static void HelloProcess(void *pkt, void *context)
> {
>    SFSnortPacket *p = (SFSnortPacket *)pkt;
>    if(IsTCP(p))
>    {
>            _dpd.logMsg("Hello : Got TCP packet!\n");
>    }
>    else if(IsUDP(p))
>    {
>        _dpd.logMsg("Hello : Got UDP packet!\n");
>    }
>    else if(IsICMP(p))
>    {
>        _dpd.logMsg("Hello : Got ICMP packet!\n");
>    }
>    else
>    {
>        _dpd.logMsg("Hello : Got unknown packet!\n");
>    }
> }
>
> ===============================
> File name : sf_preproc_info.h :
> ===============================
> #ifndef SF_PREPROC_INFO_H_
> #define SF_PREPROC_INFO_H_
>
> #define MAJOR_VERSION   1
> #define MINOR_VERSION   0
> #define BUILD_VERSION   1
> #define PREPROC_NAME    "HelloWorld_Preprocessor"
>
> #define DYNAMIC_PREPROC_SETUP   HelloSetup
> extern void HelloSetup();
>
> #endif
>
> So here I need a help to fix & improve them, beacuse those are still not
> working.
> There should be something missing, something wrong, or something
> unnecessary.
>
>
> ------------------------------------------------------------------------------
> The Palm PDK Hot Apps Program offers developers who use the
> Plug-In Development Kit to bring their C/C++ apps to Palm for a share
> of $1 Million in cash or HP Products. Visit us here for more details:
> http://p.sf.net/sfu/dev2dev-palm
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20100816/1f1c450d/attachment.html>


More information about the Snort-devel mailing list