[Snort-devel] Interested in developing a preprocessor; want all the documentation I can get.

Bill Reimer breimer273 at ...2499...
Tue Aug 13 06:22:31 EDT 2013


Went down this path a few years ago. I couldn't find any documentation
then, I don't know if there is any now. Even posted in this mailing list,
still no dice. Anyway, the best advice I can give is to look at a
preprocessor that is included with snort and take a look at how that is
built. I believe it is either a compile time option or a run time option
that you will also need to add your preprocessor to the list. It sounds
like what you want to do would be good to do in a preprocessor. Keep in
mind there are other preprocessors that do useful things, like there is one
that will tell snort to ignore SSL traffic. Good luck! I will keep watching
this in case anyone else has any other ideas.


On Mon, Aug 12, 2013 at 10:34 PM, Rodrigo Montoro(Sp0oKeR) <
spooker at ...2499...> wrote:

> Take a look at host attribute tables http://manual.snort.org/node22.html
>
> Anyway this tool with nmap do something similar what you want I guess but
> not analyzing traffic is passing on snort.
>
>
> http://global-security.blogspot.com.br/2010/02/hogging-snort-host-attribute-table.html
>
> Maybe studying DAQ you could get hook you want easier than a preproc.
> Anyway as I said before I'm not a devel so I'm just looking as a infosec
> guy.
>
> Good luck!
>
> regards,
>
>
> On Mon, Aug 12, 2013 at 10:52 PM, Tony Robinson <
> deusexmachina667 at ...2499...> wrote:
>
>> this gives me a good starting point... Do you or anyone else for that
>> matter know if the starter kit is compatible with the latest snort
>> versions? I'm assuming so, since the web page refers to snort 2.9.4.x while
>> the text doc in the tarball refers to snort 2.9.0.x
>>
>> also specifically what I'm looking to do is take normalized traffic in
>> either a passive or inline config and pass the cleaned up/reassembled
>> traffic to prads or p0f for more accurate host detection, and in turn prads
>> or p0f could be used to build more accurate stream 5 or frag 3 host
>> policies.. makes sense, no?
>>
>>
>> On Mon, Aug 12, 2013 at 9:27 PM, Rodrigo Montoro(Sp0oKeR) <
>> spooker at ...2499...> wrote:
>>
>>> I'm not a devel but for sure this url will help you =)
>>>
>>> http://www.snort.org/snort-downloads/dynamic-preprocessor-starter-kit/
>>>
>>> Regards,
>>>
>>>
>>> On Mon, Aug 12, 2013 at 10:23 PM, Tony Robinson <
>>> deusexmachina667 at ...2499...> wrote:
>>>
>>>> Title really says it all.
>>>>
>>>> Sorry for cross posting this into both users and the devel mailing
>>>> list, but I'm looking to get as many sets of eyes as I can here.
>>>>
>>>> Do any of you have any experience developing snort preprocessors? I
>>>> would like to try my at rolling one of my own, or figuring out how to pass
>>>> normalized/preprocessed traffic to other network inspection tools -- to be
>>>> quite honest, I have no idea what I'm doing  and am not sure if a
>>>> preprocessor would be necessary to do this or not.
>>>>
>>>> I know that for the most part, there are readmes included with most of
>>>> the source code, but if anyone has anymore solid documentation on how to do
>>>> something like this, I need all the documentation I can get.
>>>>
>>>>
>>>>
>>>> --
>>>> when does reality end? when does fantasy begin?
>>>>
>>>>
>>>> ------------------------------------------------------------------------------
>>>> Get 100% visibility into Java/.NET code with AppDynamics Lite!
>>>> It's a free troubleshooting tool designed for production.
>>>> Get down to code-level detail for bottlenecks, with <2% overhead.
>>>> Download for free and get started troubleshooting in minutes.
>>>>
>>>> http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk
>>>> _______________________________________________
>>>> Snort-devel mailing list
>>>> Snort-devel at lists.sourceforge.net
>>>> https://lists.sourceforge.net/lists/listinfo/snort-devel
>>>> Archive:
>>>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel
>>>>
>>>> Please visit http://blog.snort.org for the latest news about Snort!
>>>>
>>>
>>>
>>>
>>> --
>>> Rodrigo Montoro (Sp0oKeR)
>>> http://spookerlabs.blogspot.com
>>> http://www.twitter.com/spookerlabs
>>> http://www.linkedin.com/in/spooker
>>>
>>
>>
>>
>> --
>> when does reality end? when does fantasy begin?
>>
>
>
>
> --
> Rodrigo Montoro (Sp0oKeR)
> http://spookerlabs.blogspot.com
> http://www.twitter.com/spookerlabs
> http://www.linkedin.com/in/spooker
>
>
> ------------------------------------------------------------------------------
> Get 100% visibility into Java/.NET code with AppDynamics Lite!
> It's a free troubleshooting tool designed for production.
> Get down to code-level detail for bottlenecks, with <2% overhead.
> Download for free and get started troubleshooting in minutes.
> http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
> Archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel
>
> Please visit http://blog.snort.org for the latest news about Snort!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20130813/8c4fee4c/attachment.html>


More information about the Snort-devel mailing list