[Snort-devel] [Snort devel] Storing Packet data

Russ Combs rcombs at ...402...
Wed Mar 17 12:56:28 EDT 2010


p->payload is the start of payload data; p->payload + p->payload_size is one
byte past the end.

Any conversion will depend on your application.  You will have ascii for
typical IP based ascii protocols.

Hope that helps.
Russ

On Wed, Mar 17, 2010 at 12:29 PM, Dirk Maarten van Duijn <
dirkmaarten at ...2499...> wrote:

> Good day,
>
> I am new to mailing boards in general so I hope I stick to the  unwritten
> rules, if not I'm sorry.
> Also English isn't my native language so some sentences got some issues :)
>
> I am working on a dynamic preprocessor for Snort and I am running into some
> problems.
> The idea behind the preprocessor is that it saves a specific amount of
> kilobytes from a download as data, hashes that data and compares the hash to
> an internal whitelist.
>
> The general idea is working, the saving; hashing and comparing.
> I tested this locally by implementing a stub and it seems to work like it
> should.
>
> Now when I use the preprocessor like how you should use a preprocessor,
> using it in combination with an Internet connection, it isn't working.
> The preprocessor gets the packets, all is well expect the fact that the
> payload of the packet doesn't make sense.
>
> It doesn't make sense in the way that the payload is empty most of the time
> while it shouldn't be empty.
> I know it isn't empty by comparing the received packets with a packet
> sniffer, the field matches (seq,ack etc etc) but not the payload.
> The received packets are checked with GDB.
>
> However, the payload size seems to be set correctly.
> I thought I was able to get the payload by getting the memory from
> p->payload + p->payloadsize.
>
> So my actual question is this: How do I get the payload of a packet? And
> when I got that data how do I convert it to ASCII if possible?
>
> Is there some flag I need to set somewhere to receive the data?
> I changed the order of preprocessors.
> I changed the priority from application to scanner and all other flags
> really.
> I tried all kind of weird ways to access the memory (I'm not very skilled
> with C).
> I examined the code of the other preprocessors and they just seem to access
> the payload data as they are pleased.
>
> I hope I included enough information and otherwise:
> Thanks for reading this far
>
> Greetings,
>
> Dirk
>
>
>
>
>
>
>
>
>
>
>
>
>
> ------------------------------------------------------------------------------
> Download Intel® Parallel Studio Eval
> Try the new software tools for yourself. Speed compiling, find bugs
> proactively, and fine-tune applications for parallel performance.
> See why Intel Parallel Studio got high marks during beta.
> http://p.sf.net/sfu/intel-sw-dev
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20100317/74344dca/attachment.html>


More information about the Snort-devel mailing list