[Snort-devel] [Snort devel] Storing Packet data

Dirk Maarten van Duijn dirkmaarten at ...2499...
Wed Mar 17 12:29:33 EDT 2010

Good day,

I am new to mailing boards in general so I hope I stick to the  unwritten
rules, if not I'm sorry.
Also English isn't my native language so some sentences got some issues :)

I am working on a dynamic preprocessor for Snort and I am running into some
The idea behind the preprocessor is that it saves a specific amount of
kilobytes from a download as data, hashes that data and compares the hash to
an internal whitelist.

The general idea is working, the saving; hashing and comparing.
I tested this locally by implementing a stub and it seems to work like it

Now when I use the preprocessor like how you should use a preprocessor,
using it in combination with an Internet connection, it isn't working.
The preprocessor gets the packets, all is well expect the fact that the
payload of the packet doesn't make sense.

It doesn't make sense in the way that the payload is empty most of the time
while it shouldn't be empty.
I know it isn't empty by comparing the received packets with a packet
sniffer, the field matches (seq,ack etc etc) but not the payload.
The received packets are checked with GDB.

However, the payload size seems to be set correctly.
I thought I was able to get the payload by getting the memory from
p->payload + p->payloadsize.

So my actual question is this: How do I get the payload of a packet? And
when I got that data how do I convert it to ASCII if possible?

Is there some flag I need to set somewhere to receive the data?
I changed the order of preprocessors.
I changed the priority from application to scanner and all other flags
I tried all kind of weird ways to access the memory (I'm not very skilled
with C).
I examined the code of the other preprocessors and they just seem to access
the payload data as they are pleased.

I hope I included enough information and otherwise:
Thanks for reading this far


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20100317/f9065326/attachment.html>

More information about the Snort-devel mailing list