[Snort-devel] [snort-devel] Chainning pre-processors

Hui Cao hcao at ...402...
Wed Dec 4 13:22:11 EST 2013


Yes, it is possible. You can register you preprocessor like this:

_dpd.addPreproc( sc, ExampleProcess, PRIORITY_TRANSPORT, You_PP_ID, 
PROTO_BIT__IP );

Remember check the following flag in your ExampleProcess:

(SFSnortPacket*)ipacketp)->flags & FLAG_REBUILT_FRAG

Best,
Hui.

On 12/04/2013 12:52 PM, Emiliano Fausto wrote:
> Hi everybody,
>
> I'm creating a new preprocessor which needs to have the whole content 
> in a packet which was fragmented.
>
> So I thought of using the frag3 preprocessor to re-assembly the 
> packets, and then, when this reassembly is done, sent it to my own 
> preprocessor.
>
> Do you know if this is possible? May I have the output of frag3 being 
> the input of my own preprocessor?
>
> Regards,
> Emiliano.
>
>
> ------------------------------------------------------------------------------
> Sponsored by Intel(R) XDK
> Develop, test and display web and hybrid apps with a single code base.
> Download it for free now!
> http://pubads.g.doubleclick.net/gampad/clk?id=111408631&iu=/4140/ostg.clktrk
>
>
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
> Archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel
>
> Please visit http://blog.snort.org for the latest news about Snort!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20131204/69ddf8df/attachment.html>


More information about the Snort-devel mailing list