[Snort-devel] [snort-devel] Chainning pre-processors

Emiliano Fausto emiliano.fausto at ...2499...
Wed Dec 4 14:44:54 EST 2013


Hi Hui,

I've seen that I was using PRIORITY_TRANSPORT, which is lower than the
PRIORITY_NETWORK that uses frag3.

Anyway, I put the priority: PRIORITY_LAST to my own preprocessor, but when
the TCP packets keep arriving fragmented to my preprocessor.

Is there anything else I should take into account?

Thanks in advance,
Emiliano.


2013/12/4 Hui Cao <hcao at ...402...>

>  In sr/preprocids.h
>
> Best,
> Hui.
>
> On 12/04/2013 02:36 PM, Emiliano Fausto wrote:
>
> Great,
>
>  so, the pre-processors are "chained" by default, and the order that
> SNORT follows to call them is set by the PRIORITY variable.
>
>  Do you know where's defined this PRIORITY variable? Because I saw that
> the frag3 is being registered with PRIORITY_NETWORK, so I'd like to set the
> priority of my own preprocessor as (PRIORITY_NETWORK -1).
>
>  Thanks in advance,
> Emiliano
>
>
> 2013/12/4 Hui Cao <hcao at ...402...>
>
>>  sc means snort configuration. We use PRIORITY to sort the processing.
>> All processors enabled will be called and processed based on priority. You
>> have to rely on the code to figure out what exactly snort does.
>>
>> The checking is correct. You will only process rebuilt packets.
>>
>> Best,
>> Hui.
>>   On 12/04/2013 02:19 PM, Emiliano Fausto wrote:
>>
>> Hello Hui,
>>
>>  thanks a lot for your answer.
>>
>>  Right now I have registered my preprocessor (let's call it
>> examplePreprocess as you said, because right now I'm using the one provided
>> with the DPX) with this line:
>>
>>  _dpd.addPreproc(ExampleProcess, PRIORITY_TRANSPORT, 10000,
>> PROTO_BIT__TCP);
>>
>>  So, the only change is to add previous to the parameter ExampleProcess,
>> the "sc". What does it mean? Do you know if there's any documentation about
>> this chaining preprocesses?
>>
>>  So, checking the flags, should be:
>>
>>  (SFSnortPacket*)tcppacket)->flags & FLAG_REBUILT_FRAG
>>
>>  right?
>>
>>  Thanks again!
>> Emiliano.
>>
>>
>>
>>  Then, I'll have to register my own preprocessor where?
>>
>>
>> 2013/12/4 Hui Cao <hcao at ...402...>
>>
>>>  Yes, it is possible. You can register you preprocessor like this:
>>>
>>> _dpd.addPreproc( sc, ExampleProcess, PRIORITY_TRANSPORT, You_PP_ID,
>>> PROTO_BIT__IP );
>>>
>>> Remember check the following flag in your ExampleProcess:
>>>
>>> (SFSnortPacket*)ipacketp)->flags & FLAG_REBUILT_FRAG
>>>
>>> Best,
>>> Hui.
>>>
>>>
>>> On 12/04/2013 12:52 PM, Emiliano Fausto wrote:
>>>
>>>  Hi everybody,
>>>
>>>  I'm creating a new preprocessor which needs to have the whole content
>>> in a packet which was fragmented.
>>>
>>>  So I thought of using the frag3 preprocessor to re-assembly the
>>> packets, and then, when this reassembly is done, sent it to my own
>>> preprocessor.
>>>
>>>  Do you know if this is possible? May I have the output of frag3 being
>>> the input of my own preprocessor?
>>>
>>>  Regards,
>>> Emiliano.
>>>
>>>
>>>  ------------------------------------------------------------------------------
>>> Sponsored by Intel(R) XDK
>>> Develop, test and display web and hybrid apps with a single code base.
>>> Download it for free now!http://pubads.g.doubleclick.net/gampad/clk?id=111408631&iu=/4140/ostg.clktrk
>>>
>>>
>>>
>>> _______________________________________________
>>> Snort-devel mailing listSnort-devel at ...3458...://lists.sourceforge.net/lists/listinfo/snort-devel
>>> Archive:http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel
>>>
>>> Please visit http://blog.snort.org for the latest news about Snort!
>>>
>>>
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> Sponsored by Intel(R) XDK
>>> Develop, test and display web and hybrid apps with a single code base.
>>> Download it for free now!
>>>
>>> http://pubads.g.doubleclick.net/gampad/clk?id=111408631&iu=/4140/ostg.clktrk
>>> _______________________________________________
>>> Snort-devel mailing list
>>> Snort-devel at lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/snort-devel
>>> Archive:
>>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel
>>>
>>> Please visit http://blog.snort.org for the latest news about Snort!
>>>
>>
>>
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20131204/8dc0fe53/attachment.html>


More information about the Snort-devel mailing list