[Snort-devel] [snort-devel] Chainning pre-processors

Emiliano Fausto emiliano.fausto at ...2499...
Wed Dec 4 15:00:57 EST 2013


Yes,

that's what I thought, but for some reason the TCP packets keep on coming
fragmented to my preprocessor.

No I took off all the preprocessors and just let the frag3 and mines, I'll
try to figure out if they are called in the correct order, but they are not
being chained.

Thanks,
Emiliano.


2013/12/4 Hui Cao <hcao at ...402...>

> It looks good to me.
>
> Best,
> Hui.
>
> On Wed, Dec 4, 2013 at 2:44 PM, Emiliano Fausto
> <emiliano.fausto at ...2499...> wrote:
> > Hi Hui,
> >
> > I've seen that I was using PRIORITY_TRANSPORT, which is lower than the
> > PRIORITY_NETWORK that uses frag3.
> >
> > Anyway, I put the priority: PRIORITY_LAST to my own preprocessor, but
> when
> > the TCP packets keep arriving fragmented to my preprocessor.
> >
> > Is there anything else I should take into account?
> >
> > Thanks in advance,
> > Emiliano.
> >
> >
> > 2013/12/4 Hui Cao <hcao at ...402...>
> >>
> >> In sr/preprocids.h
> >>
> >> Best,
> >> Hui.
> >>
> >> On 12/04/2013 02:36 PM, Emiliano Fausto wrote:
> >>
> >> Great,
> >>
> >> so, the pre-processors are "chained" by default, and the order that
> SNORT
> >> follows to call them is set by the PRIORITY variable.
> >>
> >> Do you know where's defined this PRIORITY variable? Because I saw that
> the
> >> frag3 is being registered with PRIORITY_NETWORK, so I'd like to set the
> >> priority of my own preprocessor as (PRIORITY_NETWORK -1).
> >>
> >> Thanks in advance,
> >> Emiliano
> >>
> >>
> >> 2013/12/4 Hui Cao <hcao at ...402...>
> >>>
> >>> sc means snort configuration. We use PRIORITY to sort the processing.
> All
> >>> processors enabled will be called and processed based on priority. You
> have
> >>> to rely on the code to figure out what exactly snort does.
> >>>
> >>> The checking is correct. You will only process rebuilt packets.
> >>>
> >>> Best,
> >>> Hui.
> >>> On 12/04/2013 02:19 PM, Emiliano Fausto wrote:
> >>>
> >>> Hello Hui,
> >>>
> >>> thanks a lot for your answer.
> >>>
> >>> Right now I have registered my preprocessor (let's call it
> >>> examplePreprocess as you said, because right now I'm using the one
> provided
> >>> with the DPX) with this line:
> >>>
> >>> _dpd.addPreproc(ExampleProcess, PRIORITY_TRANSPORT, 10000,
> >>> PROTO_BIT__TCP);
> >>>
> >>> So, the only change is to add previous to the parameter ExampleProcess,
> >>> the "sc". What does it mean? Do you know if there's any documentation
> about
> >>> this chaining preprocesses?
> >>>
> >>> So, checking the flags, should be:
> >>>
> >>> (SFSnortPacket*)tcppacket)->flags & FLAG_REBUILT_FRAG
> >>>
> >>> right?
> >>>
> >>> Thanks again!
> >>> Emiliano.
> >>>
> >>>
> >>>
> >>> Then, I'll have to register my own preprocessor where?
> >>>
> >>>
> >>> 2013/12/4 Hui Cao <hcao at ...402...>
> >>>>
> >>>> Yes, it is possible. You can register you preprocessor like this:
> >>>>
> >>>> _dpd.addPreproc( sc, ExampleProcess, PRIORITY_TRANSPORT, You_PP_ID,
> >>>> PROTO_BIT__IP );
> >>>>
> >>>> Remember check the following flag in your ExampleProcess:
> >>>>
> >>>> (SFSnortPacket*)ipacketp)->flags & FLAG_REBUILT_FRAG
> >>>>
> >>>> Best,
> >>>> Hui.
> >>>>
> >>>>
> >>>> On 12/04/2013 12:52 PM, Emiliano Fausto wrote:
> >>>>
> >>>> Hi everybody,
> >>>>
> >>>> I'm creating a new preprocessor which needs to have the whole content
> in
> >>>> a packet which was fragmented.
> >>>>
> >>>> So I thought of using the frag3 preprocessor to re-assembly the
> packets,
> >>>> and then, when this reassembly is done, sent it to my own
> preprocessor.
> >>>>
> >>>> Do you know if this is possible? May I have the output of frag3 being
> >>>> the input of my own preprocessor?
> >>>>
> >>>> Regards,
> >>>> Emiliano.
> >>>>
> >>>>
> >>>>
> >>>>
> ------------------------------------------------------------------------------
> >>>> Sponsored by Intel(R) XDK
> >>>> Develop, test and display web and hybrid apps with a single code base.
> >>>> Download it for free now!
> >>>>
> >>>>
> http://pubads.g.doubleclick.net/gampad/clk?id=111408631&iu=/4140/ostg.clktrk
> >>>>
> >>>>
> >>>>
> >>>> _______________________________________________
> >>>> Snort-devel mailing list
> >>>> Snort-devel at lists.sourceforge.net
> >>>> https://lists.sourceforge.net/lists/listinfo/snort-devel
> >>>> Archive:
> >>>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel
> >>>>
> >>>> Please visit http://blog.snort.org for the latest news about Snort!
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>
> ------------------------------------------------------------------------------
> >>>> Sponsored by Intel(R) XDK
> >>>> Develop, test and display web and hybrid apps with a single code base.
> >>>> Download it for free now!
> >>>>
> >>>>
> http://pubads.g.doubleclick.net/gampad/clk?id=111408631&iu=/4140/ostg.clktrk
> >>>> _______________________________________________
> >>>> Snort-devel mailing list
> >>>> Snort-devel at lists.sourceforge.net
> >>>> https://lists.sourceforge.net/lists/listinfo/snort-devel
> >>>> Archive:
> >>>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel
> >>>>
> >>>> Please visit http://blog.snort.org for the latest news about Snort!
> >>>
> >>>
> >>>
> >>
> >>
> >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20131204/b4ca0f48/attachment.html>


More information about the Snort-devel mailing list