[Snort-devel] [snort-devel] Chainning pre-processors

Hui Cao hcao at ...402...
Wed Dec 4 14:39:18 EST 2013


In sr/preprocids.h

Best,
Hui.
On 12/04/2013 02:36 PM, Emiliano Fausto wrote:
> Great,
>
> so, the pre-processors are "chained" by default, and the order that 
> SNORT follows to call them is set by the PRIORITY variable.
>
> Do you know where's defined this PRIORITY variable? Because I saw that 
> the frag3 is being registered with PRIORITY_NETWORK, so I'd like to 
> set the priority of my own preprocessor as (PRIORITY_NETWORK -1).
>
> Thanks in advance,
> Emiliano
>
>
> 2013/12/4 Hui Cao <hcao at ...402... <mailto:hcao at ...402...>>
>
>     sc means snort configuration. We use PRIORITY to sort the
>     processing. All processors enabled will be called and processed
>     based on priority. You have to rely on the code to figure out what
>     exactly snort does.
>
>     The checking is correct. You will only process rebuilt packets.
>
>     Best,
>     Hui.
>     On 12/04/2013 02:19 PM, Emiliano Fausto wrote:
>>     Hello Hui,
>>
>>     thanks a lot for your answer.
>>
>>     Right now I have registered my preprocessor (let's call it
>>     examplePreprocess as you said, because right now I'm using the
>>     one provided with the DPX) with this line:
>>
>>     _dpd.addPreproc(ExampleProcess, PRIORITY_TRANSPORT, 10000,
>>     PROTO_BIT__TCP);
>>
>>     So, the only change is to add previous to the parameter
>>     ExampleProcess, the "sc". What does it mean? Do you know if
>>     there's any documentation about this chaining preprocesses?
>>
>>     So, checking the flags, should be:
>>
>>     (SFSnortPacket*)tcppacket)->flags & FLAG_REBUILT_FRAG
>>
>>     right?
>>
>>     Thanks again!
>>     Emiliano.
>>
>>
>>
>>     Then, I'll have to register my own preprocessor where?
>>
>>
>>     2013/12/4 Hui Cao <hcao at ...402... <mailto:hcao at ...402...>>
>>
>>         Yes, it is possible. You can register you preprocessor like this:
>>
>>         _dpd.addPreproc( sc, ExampleProcess, PRIORITY_TRANSPORT,
>>         You_PP_ID, PROTO_BIT__IP );
>>
>>         Remember check the following flag in your ExampleProcess:
>>
>>         (SFSnortPacket*)ipacketp)->flags & FLAG_REBUILT_FRAG
>>
>>         Best,
>>         Hui.
>>
>>
>>         On 12/04/2013 12:52 PM, Emiliano Fausto wrote:
>>>         Hi everybody,
>>>
>>>         I'm creating a new preprocessor which needs to have the
>>>         whole content in a packet which was fragmented.
>>>
>>>         So I thought of using the frag3 preprocessor to re-assembly
>>>         the packets, and then, when this reassembly is done, sent it
>>>         to my own preprocessor.
>>>
>>>         Do you know if this is possible? May I have the output of
>>>         frag3 being the input of my own preprocessor?
>>>
>>>         Regards,
>>>         Emiliano.
>>>
>>>
>>>         ------------------------------------------------------------------------------
>>>         Sponsored by Intel(R) XDK
>>>         Develop, test and display web and hybrid apps with a single code base.
>>>         Download it for free now!
>>>         http://pubads.g.doubleclick.net/gampad/clk?id=111408631&iu=/4140/ostg.clktrk
>>>
>>>
>>>         _______________________________________________
>>>         Snort-devel mailing list
>>>         Snort-devel at lists.sourceforge.net  <mailto:Snort-devel at lists.sourceforge.net>
>>>         https://lists.sourceforge.net/lists/listinfo/snort-devel
>>>         Archive:
>>>         http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel
>>>
>>>         Please visithttp://blog.snort.org  for the latest news about Snort!
>>
>>
>>         ------------------------------------------------------------------------------
>>         Sponsored by Intel(R) XDK
>>         Develop, test and display web and hybrid apps with a single
>>         code base.
>>         Download it for free now!
>>         http://pubads.g.doubleclick.net/gampad/clk?id=111408631&iu=/4140/ostg.clktrk
>>         _______________________________________________
>>         Snort-devel mailing list
>>         Snort-devel at lists.sourceforge.net
>>         <mailto:Snort-devel at lists.sourceforge.net>
>>         https://lists.sourceforge.net/lists/listinfo/snort-devel
>>         Archive:
>>         http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel
>>
>>         Please visit http://blog.snort.org for the latest news about
>>         Snort!
>>
>>
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20131204/bbc9ac8c/attachment.html>


More information about the Snort-devel mailing list