[Snort-devel] Help Developing Snort "Hello World" Dynamic Preprocessor
ryan.jordan at ...402...
Wed Aug 18 13:29:32 EDT 2010
If your initialization function "HelloInit()" is working, make sure
that it registers your detection function. Since we're using SSH as an
example, here's the important part of SSH init:
_dpd.registerPreproc( "ssh", SSHInit );
static void SSHInit(char *argp)
// prereq checks and config parsing...
_dpd.addPreproc( ProcessSSH, PRIORITY_APPLICATION, PP_SSH, PROTO_BIT__TCP );
SetupSSH() will always get called at Snort start-up. It registers the
string "ssh" as a preprocessor name.
SSHInit() only gets called if snort.conf contains "preprocessor ssh:".
SSHInit() is responsible for parsing the preprocessor's config and
registering the detection function.
Once SSHInit() has been called, ProcessSSH() will be added to the list
of preprocessor functions that get called on every packet.
To get your preprocessor working, make sure that you're following each
of these steps. I'd guess that you either left out a call to
_dpd.registerPreproc(), or didn't add your preprocessor to snort.conf.
On Wed, Aug 18, 2010 at 12:51 PM, Fuat Yosanto
<mbahe_suro at ...3099...> wrote:
> Thanks Russ,
> Actually, for my works, I decided to modify Dynamic Preprocessor Example.
> It works so far.
> May be I will try fixing my dynamic preprocessor later.
> I'm still figuring out what's wrong with my dynamic preprocessor.
> So I make a simpler & similar dynamic preprocessor, that's the "Hello
> Ok, talking about "Hello World" Dynamic Preprocessor.
> I think the initialization function (HelloInit) is working.
> Since it was loaded successfully when snort starting up.
> May be the problem is in the process function (HelloProcess).
> In my opinion, when a packet passes and captured by Snort,
> Snort always call all process function in all
> registered preprocessor (including Dynamic Preprocesssor). Am I right?
> In this case, it looks like that Snort doesn't call process function in
> "Hello World"
> Dynamic Preprocessor. I have tried modifying process function in SSH
> Dynamic Preprocessor
> to do exactly the same algorithm with "Hello World" Dynamic Preprocessor.
> (except the output messages)
> I compiled them together, all dynamic preprocessor were loaded &
> registered successfully (including "Hello World",
> because I saw it was listed in Dynamic Plugin list after Snort Pig ASCII
> Then, when a packet came, only SSH Dynamic Preprocessor can output a
> messages (done by calling _dpd.logMsg()),
> but "Hello World" it self didn't say "Hello" at all.
> It means Snort doesn't call process function in "Hello World", right?
> Is it because I did not make any configuration in
> snort.conf for "Hello World" dynamic preprocessor?
> Because I think it is not necessary to make any configuration for this
> simple preprocessor.
> Fuat Yosanto
> On Mon, 16 Aug 2010 10:33:51 -0400, Russ Combs <rcombs at ...402...>
>> Hi Fuat,
>> Rolling your own dynamic preprocessor is not as easy as it could be.
>> putting a blog post together to remedy that.
>> In the mean time, here are some pointers:
>> * ensure the dpp is compiled with exactly same options as snort
>> * ensure visibility is correct to get InitializePreprocessor() and
>> LibVersion() exported
>> * use DebugMessage() instead of _dpd.debugMsg() so file and line are set
>> * use the SNORT_DEBUG environment variable to get helpful output
>> And be sure to add the preprocessor config to your snort.conf!
>> On Sat, Jul 31, 2010 at 2:35 AM, Fuat Yosanto <
>> mbahe_suro at ...3099...> wrote:
>>> Hi all,
>>> Actually I have a problem when creating my own dynamic-preprocessor.
>>> (See my previous email with subject : Linking custom
>>> Seems like my dynamic-preprocessor hasn't been executed by Snort
>>> successfully but didn't work).
>>> I can't figure out what's wrong with it. May be something is missing.
>>> I have tried modifying Snort dynamic-preprocessor example to do same
>>> process with my dynamic-preprocessor.
>>> It works, but I can't satisfy my needs, because of its directory
>>> position, and naming problem.
>>> So to understand what are the minimum requirements to build
>>> I am looking for a basic example code like "hello world" Snort
>>> Here, I have created the prototype of "hello world" Snort
>>> The idea is simple, it will log message when it finds any kind of
>>> Additionally it can identify TCP, UDP, and ICMP packet.
>>> Assume that we have done any setup things to integrate this
>>> dynamic-preprocessor in Snort sources
>>> such as editing generators.h, preprocids.h, Makefile.am, re-running
>>> autotools, etc.
>>> These are the sources :
>>> Directory : src/dynamic-preprocessor/hello
>>> File name : spp_hello.c
>>> #include "preprocids.h"
>>> #include "sf_snort_packet.h"
>>> #include "sf_dynamic_preprocessor.h"
>>> #include "sf_dynamic_preproc_lib.h"
>>> #include "sf_snort_plugin_api.h"
>>> #include "sfPolicy.h"
>>> #include "sfPolicyUserData.h"
>>> #define GENERATOR_SPP_HELLO 230
>>> extern DynamicPreprocessorData _dpd;
>>> static void HelloInit(char *);
>>> static void HelloProcess(void *, void *);
>>> void HelloSetup()
>>> _dpd.registerPreproc("hello", HelloInit);
>>> static void HelloInit(char *args)
>>> _dpd.addPreproc(HelloProcess, PRIORITY_TRANSPORT, PP_HELLO,
>>> PROTO_BIT__TCP | PROTO_BIT__UDP | PROTO_BIT__ICMP);
>>> static void HelloProcess(void *pkt, void *context)
>>> SFSnortPacket *p = (SFSnortPacket *)pkt;
>>> _dpd.logMsg("Hello : Got TCP packet!\n");
>>> else if(IsUDP(p))
>>> _dpd.logMsg("Hello : Got UDP packet!\n");
>>> else if(IsICMP(p))
>>> _dpd.logMsg("Hello : Got ICMP packet!\n");
>>> _dpd.logMsg("Hello : Got unknown packet!\n");
>>> File name : sf_preproc_info.h :
>>> #ifndef SF_PREPROC_INFO_H_
>>> #define SF_PREPROC_INFO_H_
>>> #define MAJOR_VERSION 1
>>> #define MINOR_VERSION 0
>>> #define BUILD_VERSION 1
>>> #define PREPROC_NAME "HelloWorld_Preprocessor"
>>> #define DYNAMIC_PREPROC_SETUP HelloSetup
>>> extern void HelloSetup();
>>> So here I need a help to fix & improve them, beacuse those are still
>>> There should be something missing, something wrong, or something
>>> The Palm PDK Hot Apps Program offers developers who use the
>>> Plug-In Development Kit to bring their C/C++ apps to Palm for a share
>>> of $1 Million in cash or HP Products. Visit us here for more details:
>>> Snort-devel mailing list
>>> Snort-devel at lists.sourceforge.net
> This SF.net email is sponsored by
> Make an app they can't live without
> Enter the BlackBerry Developer Challenge
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
More information about the Snort-devel