[Snort-devel] [snort-devel] Chainning pre-processors

Emiliano Fausto emiliano.fausto at ...2499...
Wed Dec 4 14:36:03 EST 2013


Great,

so, the pre-processors are "chained" by default, and the order that SNORT
follows to call them is set by the PRIORITY variable.

Do you know where's defined this PRIORITY variable? Because I saw that the
frag3 is being registered with PRIORITY_NETWORK, so I'd like to set the
priority of my own preprocessor as (PRIORITY_NETWORK -1).

Thanks in advance,
Emiliano


2013/12/4 Hui Cao <hcao at ...402...>

>  sc means snort configuration. We use PRIORITY to sort the processing.
> All processors enabled will be called and processed based on priority. You
> have to rely on the code to figure out what exactly snort does.
>
> The checking is correct. You will only process rebuilt packets.
>
> Best,
> Hui.
>  On 12/04/2013 02:19 PM, Emiliano Fausto wrote:
>
> Hello Hui,
>
>  thanks a lot for your answer.
>
>  Right now I have registered my preprocessor (let's call it
> examplePreprocess as you said, because right now I'm using the one provided
> with the DPX) with this line:
>
>  _dpd.addPreproc(ExampleProcess, PRIORITY_TRANSPORT, 10000,
> PROTO_BIT__TCP);
>
>  So, the only change is to add previous to the parameter ExampleProcess,
> the "sc". What does it mean? Do you know if there's any documentation about
> this chaining preprocesses?
>
>  So, checking the flags, should be:
>
>  (SFSnortPacket*)tcppacket)->flags & FLAG_REBUILT_FRAG
>
>  right?
>
>  Thanks again!
> Emiliano.
>
>
>
>  Then, I'll have to register my own preprocessor where?
>
>
> 2013/12/4 Hui Cao <hcao at ...402...>
>
>>  Yes, it is possible. You can register you preprocessor like this:
>>
>> _dpd.addPreproc( sc, ExampleProcess, PRIORITY_TRANSPORT, You_PP_ID,
>> PROTO_BIT__IP );
>>
>> Remember check the following flag in your ExampleProcess:
>>
>> (SFSnortPacket*)ipacketp)->flags & FLAG_REBUILT_FRAG
>>
>> Best,
>> Hui.
>>
>>
>> On 12/04/2013 12:52 PM, Emiliano Fausto wrote:
>>
>>  Hi everybody,
>>
>>  I'm creating a new preprocessor which needs to have the whole content
>> in a packet which was fragmented.
>>
>>  So I thought of using the frag3 preprocessor to re-assembly the
>> packets, and then, when this reassembly is done, sent it to my own
>> preprocessor.
>>
>>  Do you know if this is possible? May I have the output of frag3 being
>> the input of my own preprocessor?
>>
>>  Regards,
>> Emiliano.
>>
>>
>>  ------------------------------------------------------------------------------
>> Sponsored by Intel(R) XDK
>> Develop, test and display web and hybrid apps with a single code base.
>> Download it for free now!http://pubads.g.doubleclick.net/gampad/clk?id=111408631&iu=/4140/ostg.clktrk
>>
>>
>>
>> _______________________________________________
>> Snort-devel mailing listSnort-devel at ...3458...://lists.sourceforge.net/lists/listinfo/snort-devel
>> Archive:http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel
>>
>> Please visit http://blog.snort.org for the latest news about Snort!
>>
>>
>>
>>
>> ------------------------------------------------------------------------------
>> Sponsored by Intel(R) XDK
>> Develop, test and display web and hybrid apps with a single code base.
>> Download it for free now!
>>
>> http://pubads.g.doubleclick.net/gampad/clk?id=111408631&iu=/4140/ostg.clktrk
>> _______________________________________________
>> Snort-devel mailing list
>> Snort-devel at lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/snort-devel
>> Archive:
>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel
>>
>> Please visit http://blog.snort.org for the latest news about Snort!
>>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20131204/e8dfaa51/attachment.html>


More information about the Snort-devel mailing list