[Snort-devel] [snort-devel] Chainning pre-processors

Hui Cao hcao at ...402...
Wed Dec 4 14:55:29 EST 2013


It looks good to me.

Best,
Hui.

On Wed, Dec 4, 2013 at 2:44 PM, Emiliano Fausto
<emiliano.fausto at ...2499...> wrote:
> Hi Hui,
>
> I've seen that I was using PRIORITY_TRANSPORT, which is lower than the
> PRIORITY_NETWORK that uses frag3.
>
> Anyway, I put the priority: PRIORITY_LAST to my own preprocessor, but when
> the TCP packets keep arriving fragmented to my preprocessor.
>
> Is there anything else I should take into account?
>
> Thanks in advance,
> Emiliano.
>
>
> 2013/12/4 Hui Cao <hcao at ...402...>
>>
>> In sr/preprocids.h
>>
>> Best,
>> Hui.
>>
>> On 12/04/2013 02:36 PM, Emiliano Fausto wrote:
>>
>> Great,
>>
>> so, the pre-processors are "chained" by default, and the order that SNORT
>> follows to call them is set by the PRIORITY variable.
>>
>> Do you know where's defined this PRIORITY variable? Because I saw that the
>> frag3 is being registered with PRIORITY_NETWORK, so I'd like to set the
>> priority of my own preprocessor as (PRIORITY_NETWORK -1).
>>
>> Thanks in advance,
>> Emiliano
>>
>>
>> 2013/12/4 Hui Cao <hcao at ...402...>
>>>
>>> sc means snort configuration. We use PRIORITY to sort the processing. All
>>> processors enabled will be called and processed based on priority. You have
>>> to rely on the code to figure out what exactly snort does.
>>>
>>> The checking is correct. You will only process rebuilt packets.
>>>
>>> Best,
>>> Hui.
>>> On 12/04/2013 02:19 PM, Emiliano Fausto wrote:
>>>
>>> Hello Hui,
>>>
>>> thanks a lot for your answer.
>>>
>>> Right now I have registered my preprocessor (let's call it
>>> examplePreprocess as you said, because right now I'm using the one provided
>>> with the DPX) with this line:
>>>
>>> _dpd.addPreproc(ExampleProcess, PRIORITY_TRANSPORT, 10000,
>>> PROTO_BIT__TCP);
>>>
>>> So, the only change is to add previous to the parameter ExampleProcess,
>>> the "sc". What does it mean? Do you know if there's any documentation about
>>> this chaining preprocesses?
>>>
>>> So, checking the flags, should be:
>>>
>>> (SFSnortPacket*)tcppacket)->flags & FLAG_REBUILT_FRAG
>>>
>>> right?
>>>
>>> Thanks again!
>>> Emiliano.
>>>
>>>
>>>
>>> Then, I'll have to register my own preprocessor where?
>>>
>>>
>>> 2013/12/4 Hui Cao <hcao at ...402...>
>>>>
>>>> Yes, it is possible. You can register you preprocessor like this:
>>>>
>>>> _dpd.addPreproc( sc, ExampleProcess, PRIORITY_TRANSPORT, You_PP_ID,
>>>> PROTO_BIT__IP );
>>>>
>>>> Remember check the following flag in your ExampleProcess:
>>>>
>>>> (SFSnortPacket*)ipacketp)->flags & FLAG_REBUILT_FRAG
>>>>
>>>> Best,
>>>> Hui.
>>>>
>>>>
>>>> On 12/04/2013 12:52 PM, Emiliano Fausto wrote:
>>>>
>>>> Hi everybody,
>>>>
>>>> I'm creating a new preprocessor which needs to have the whole content in
>>>> a packet which was fragmented.
>>>>
>>>> So I thought of using the frag3 preprocessor to re-assembly the packets,
>>>> and then, when this reassembly is done, sent it to my own preprocessor.
>>>>
>>>> Do you know if this is possible? May I have the output of frag3 being
>>>> the input of my own preprocessor?
>>>>
>>>> Regards,
>>>> Emiliano.
>>>>
>>>>
>>>>
>>>> ------------------------------------------------------------------------------
>>>> Sponsored by Intel(R) XDK
>>>> Develop, test and display web and hybrid apps with a single code base.
>>>> Download it for free now!
>>>>
>>>> http://pubads.g.doubleclick.net/gampad/clk?id=111408631&iu=/4140/ostg.clktrk
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> Snort-devel mailing list
>>>> Snort-devel at lists.sourceforge.net
>>>> https://lists.sourceforge.net/lists/listinfo/snort-devel
>>>> Archive:
>>>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel
>>>>
>>>> Please visit http://blog.snort.org for the latest news about Snort!
>>>>
>>>>
>>>>
>>>>
>>>> ------------------------------------------------------------------------------
>>>> Sponsored by Intel(R) XDK
>>>> Develop, test and display web and hybrid apps with a single code base.
>>>> Download it for free now!
>>>>
>>>> http://pubads.g.doubleclick.net/gampad/clk?id=111408631&iu=/4140/ostg.clktrk
>>>> _______________________________________________
>>>> Snort-devel mailing list
>>>> Snort-devel at lists.sourceforge.net
>>>> https://lists.sourceforge.net/lists/listinfo/snort-devel
>>>> Archive:
>>>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel
>>>>
>>>> Please visit http://blog.snort.org for the latest news about Snort!
>>>
>>>
>>>
>>
>>
>




More information about the Snort-devel mailing list