[Snort-devel] Help Developing Snort "Hello World" Dynamic Preprocessor
mbahe_suro at ...3099...
Wed Aug 18 12:51:36 EDT 2010
Actually, for my works, I decided to modify Dynamic Preprocessor Example.
It works so far.
May be I will try fixing my dynamic preprocessor later.
I'm still figuring out what's wrong with my dynamic preprocessor.
So I make a simpler & similar dynamic preprocessor, that's the "Hello
Ok, talking about "Hello World" Dynamic Preprocessor.
I think the initialization function (HelloInit) is working.
Since it was loaded successfully when snort starting up.
May be the problem is in the process function (HelloProcess).
In my opinion, when a packet passes and captured by Snort,
Snort always call all process function in all
registered preprocessor (including Dynamic Preprocesssor). Am I right?
In this case, it looks like that Snort doesn't call process function in
Dynamic Preprocessor. I have tried modifying process function in SSH
to do exactly the same algorithm with "Hello World" Dynamic Preprocessor.
(except the output messages)
I compiled them together, all dynamic preprocessor were loaded &
registered successfully (including "Hello World",
because I saw it was listed in Dynamic Plugin list after Snort Pig ASCII
Then, when a packet came, only SSH Dynamic Preprocessor can output a
messages (done by calling _dpd.logMsg()),
but "Hello World" it self didn't say "Hello" at all.
It means Snort doesn't call process function in "Hello World", right?
Is it because I did not make any configuration in
snort.conf for "Hello World" dynamic preprocessor?
Because I think it is not necessary to make any configuration for this
On Mon, 16 Aug 2010 10:33:51 -0400, Russ Combs <rcombs at ...402...>
> Hi Fuat,
> Rolling your own dynamic preprocessor is not as easy as it could be.
> putting a blog post together to remedy that.
> In the mean time, here are some pointers:
> * ensure the dpp is compiled with exactly same options as snort
> * ensure visibility is correct to get InitializePreprocessor() and
> LibVersion() exported
> * use DebugMessage() instead of _dpd.debugMsg() so file and line are set
> * use the SNORT_DEBUG environment variable to get helpful output
> And be sure to add the preprocessor config to your snort.conf!
> On Sat, Jul 31, 2010 at 2:35 AM, Fuat Yosanto <
> mbahe_suro at ...3099...> wrote:
>> Hi all,
>> Actually I have a problem when creating my own dynamic-preprocessor.
>> (See my previous email with subject : Linking custom
>> Seems like my dynamic-preprocessor hasn't been executed by Snort
>> successfully but didn't work).
>> I can't figure out what's wrong with it. May be something is missing.
>> I have tried modifying Snort dynamic-preprocessor example to do same
>> process with my dynamic-preprocessor.
>> It works, but I can't satisfy my needs, because of its directory
>> position, and naming problem.
>> So to understand what are the minimum requirements to build
>> I am looking for a basic example code like "hello world" Snort
>> Here, I have created the prototype of "hello world" Snort
>> The idea is simple, it will log message when it finds any kind of
>> Additionally it can identify TCP, UDP, and ICMP packet.
>> Assume that we have done any setup things to integrate this
>> dynamic-preprocessor in Snort sources
>> such as editing generators.h, preprocids.h, Makefile.am, re-running
>> autotools, etc.
>> These are the sources :
>> Directory : src/dynamic-preprocessor/hello
>> File name : spp_hello.c
>> #include "preprocids.h"
>> #include "sf_snort_packet.h"
>> #include "sf_dynamic_preprocessor.h"
>> #include "sf_dynamic_preproc_lib.h"
>> #include "sf_snort_plugin_api.h"
>> #include "sfPolicy.h"
>> #include "sfPolicyUserData.h"
>> #define GENERATOR_SPP_HELLO 230
>> extern DynamicPreprocessorData _dpd;
>> static void HelloInit(char *);
>> static void HelloProcess(void *, void *);
>> void HelloSetup()
>> _dpd.registerPreproc("hello", HelloInit);
>> static void HelloInit(char *args)
>> _dpd.addPreproc(HelloProcess, PRIORITY_TRANSPORT, PP_HELLO,
>> PROTO_BIT__TCP | PROTO_BIT__UDP | PROTO_BIT__ICMP);
>> static void HelloProcess(void *pkt, void *context)
>> SFSnortPacket *p = (SFSnortPacket *)pkt;
>> _dpd.logMsg("Hello : Got TCP packet!\n");
>> else if(IsUDP(p))
>> _dpd.logMsg("Hello : Got UDP packet!\n");
>> else if(IsICMP(p))
>> _dpd.logMsg("Hello : Got ICMP packet!\n");
>> _dpd.logMsg("Hello : Got unknown packet!\n");
>> File name : sf_preproc_info.h :
>> #ifndef SF_PREPROC_INFO_H_
>> #define SF_PREPROC_INFO_H_
>> #define MAJOR_VERSION 1
>> #define MINOR_VERSION 0
>> #define BUILD_VERSION 1
>> #define PREPROC_NAME "HelloWorld_Preprocessor"
>> #define DYNAMIC_PREPROC_SETUP HelloSetup
>> extern void HelloSetup();
>> So here I need a help to fix & improve them, beacuse those are still
>> There should be something missing, something wrong, or something
>> The Palm PDK Hot Apps Program offers developers who use the
>> Plug-In Development Kit to bring their C/C++ apps to Palm for a share
>> of $1 Million in cash or HP Products. Visit us here for more details:
>> Snort-devel mailing list
>> Snort-devel at lists.sourceforge.net
More information about the Snort-devel