[Snort-devel] Help Developing Snort "Hello World" Dynamic Preprocessor

Fuat Yosanto mbahe_suro at ...3099...
Wed Aug 18 12:51:36 EDT 2010


Thanks Russ, 

Actually, for my works, I decided to modify Dynamic Preprocessor Example.
It works so far.
May be I will try fixing my dynamic preprocessor later.
I'm still figuring out what's wrong with my dynamic preprocessor.
So I make a simpler & similar dynamic preprocessor, that's the "Hello
World".

Ok, talking about "Hello World" Dynamic Preprocessor.
I think the initialization function (HelloInit) is working.
Since it was loaded successfully when snort starting up.
May be the problem is in the process function (HelloProcess).

In my opinion, when a packet passes and captured by Snort, 
Snort always call all process function in all 
registered preprocessor (including Dynamic Preprocesssor). Am I right?

In this case, it looks like that Snort doesn't call process function in
"Hello World"
Dynamic Preprocessor. I have tried modifying process function in SSH
Dynamic Preprocessor 
to do exactly the same algorithm with "Hello World" Dynamic Preprocessor.
(except the output messages)
I compiled them together, all dynamic preprocessor were loaded &
registered successfully (including "Hello World", 
because I saw it was listed in Dynamic Plugin list after Snort Pig ASCII
art).
Then, when a packet came, only SSH Dynamic Preprocessor can output a
messages (done by calling _dpd.logMsg()),
but "Hello World" it self didn't say "Hello" at all.
It means Snort doesn't call process function in "Hello World", right?

Is it because I did not make any configuration in
snort.conf for "Hello World" dynamic preprocessor? 
Because I think it is not necessary to make any configuration for this
simple preprocessor.

Regards,
-------------
Fuat Yosanto


On Mon, 16 Aug 2010 10:33:51 -0400, Russ Combs <rcombs at ...402...>
wrote:
> Hi Fuat,
> 
> Rolling your own dynamic preprocessor is not as easy as it could be. 
I'm
> putting a blog post together to remedy that.
> 
> In the mean time, here are some pointers:
> 
> * ensure the dpp is compiled with exactly same options as snort
> * ensure visibility is correct to get InitializePreprocessor() and
> LibVersion() exported
> * use DebugMessage() instead of _dpd.debugMsg() so file and line are set
> correctly
> * use the SNORT_DEBUG environment variable to get helpful output
> 
> And be sure to add the preprocessor config to your snort.conf!
> 
> Russ
> 
> On Sat, Jul 31, 2010 at 2:35 AM, Fuat Yosanto <
> mbahe_suro at ...3099...> wrote:
> 
>> Hi all,
>>
>> Actually I have a problem when creating my own dynamic-preprocessor.
>> (See my previous email with subject : Linking custom
>> dynamic-preprocessor)
>> Seems like my dynamic-preprocessor hasn't been executed by Snort
(loaded
>> successfully but didn't work).
>> I can't figure out what's wrong with it. May be something is missing.
>> I have tried modifying Snort dynamic-preprocessor example to do same
>> process with my dynamic-preprocessor.
>> It works, but I can't satisfy my needs, because of its directory
>> position, and naming problem.
>>
>> So to understand what are the minimum requirements to build
>> dynamic-preprocessor,
>> I am looking for a basic example code like "hello world" Snort
>> dynamic-preprocessor.
>>
>> Here, I have created the prototype of "hello world" Snort
>> dynamic-preprocessor.
>> The idea is simple, it will log message when it finds any kind of
packet.
>> Additionally it can identify TCP, UDP, and ICMP packet.
>>
>> Assume that we have done any setup things to integrate this
>> dynamic-preprocessor in Snort sources
>> such as editing generators.h, preprocids.h, Makefile.am, re-running
>> autotools, etc.
>>
>> These are the sources :
>> Directory : src/dynamic-preprocessor/hello
>>
>> ========================
>> File name : spp_hello.c
>> ========================
>> #include "preprocids.h"
>> #include "sf_snort_packet.h"
>> #include "sf_dynamic_preprocessor.h"
>> #include "sf_dynamic_preproc_lib.h"
>> #include "sf_snort_plugin_api.h"
>> #include "sfPolicy.h"
>> #include "sfPolicyUserData.h"
>>
>> #define GENERATOR_SPP_HELLO                    230
>>
>> extern DynamicPreprocessorData _dpd;
>>
>> static void HelloInit(char *);
>> static void HelloProcess(void *, void *);
>>
>> void HelloSetup()
>> {
>>    _dpd.registerPreproc("hello", HelloInit);
>> }
>>
>> static void HelloInit(char *args)
>> {
>>    _dpd.addPreproc(HelloProcess, PRIORITY_TRANSPORT, PP_HELLO,
>> PROTO_BIT__TCP | PROTO_BIT__UDP | PROTO_BIT__ICMP);
>> }
>>
>> static void HelloProcess(void *pkt, void *context)
>> {
>>    SFSnortPacket *p = (SFSnortPacket *)pkt;
>>    if(IsTCP(p))
>>    {
>>            _dpd.logMsg("Hello : Got TCP packet!\n");
>>    }
>>    else if(IsUDP(p))
>>    {
>>        _dpd.logMsg("Hello : Got UDP packet!\n");
>>    }
>>    else if(IsICMP(p))
>>    {
>>        _dpd.logMsg("Hello : Got ICMP packet!\n");
>>    }
>>    else
>>    {
>>        _dpd.logMsg("Hello : Got unknown packet!\n");
>>    }
>> }
>>
>> ===============================
>> File name : sf_preproc_info.h :
>> ===============================
>> #ifndef SF_PREPROC_INFO_H_
>> #define SF_PREPROC_INFO_H_
>>
>> #define MAJOR_VERSION   1
>> #define MINOR_VERSION   0
>> #define BUILD_VERSION   1
>> #define PREPROC_NAME    "HelloWorld_Preprocessor"
>>
>> #define DYNAMIC_PREPROC_SETUP   HelloSetup
>> extern void HelloSetup();
>>
>> #endif
>>
>> So here I need a help to fix & improve them, beacuse those are still
not
>> working.
>> There should be something missing, something wrong, or something
>> unnecessary.
>>
>>
>>
------------------------------------------------------------------------------
>> The Palm PDK Hot Apps Program offers developers who use the
>> Plug-In Development Kit to bring their C/C++ apps to Palm for a share
>> of $1 Million in cash or HP Products. Visit us here for more details:
>> http://p.sf.net/sfu/dev2dev-palm
>> _______________________________________________
>> Snort-devel mailing list
>> Snort-devel at lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/snort-devel
>>




More information about the Snort-devel mailing list