[Snort-devel] [snort-devel] Chainning pre-processors

Hui Cao hcao at ...402...
Wed Dec 4 15:04:20 EST 2013


It will still get all packets including the raw packets. You need to
use packet flags to filter them.

Best,
Hui.

On Wed, Dec 4, 2013 at 3:00 PM, Emiliano Fausto
<emiliano.fausto at ...2499...> wrote:
> Yes,
>
> that's what I thought, but for some reason the TCP packets keep on coming
> fragmented to my preprocessor.
>
> No I took off all the preprocessors and just let the frag3 and mines, I'll
> try to figure out if they are called in the correct order, but they are not
> being chained.
>
> Thanks,
> Emiliano.
>
>
> 2013/12/4 Hui Cao <hcao at ...402...>
>>
>> It looks good to me.
>>
>> Best,
>> Hui.
>>
>> On Wed, Dec 4, 2013 at 2:44 PM, Emiliano Fausto
>> <emiliano.fausto at ...2499...> wrote:
>> > Hi Hui,
>> >
>> > I've seen that I was using PRIORITY_TRANSPORT, which is lower than the
>> > PRIORITY_NETWORK that uses frag3.
>> >
>> > Anyway, I put the priority: PRIORITY_LAST to my own preprocessor, but
>> > when
>> > the TCP packets keep arriving fragmented to my preprocessor.
>> >
>> > Is there anything else I should take into account?
>> >
>> > Thanks in advance,
>> > Emiliano.
>> >
>> >
>> > 2013/12/4 Hui Cao <hcao at ...402...>
>> >>
>> >> In sr/preprocids.h
>> >>
>> >> Best,
>> >> Hui.
>> >>
>> >> On 12/04/2013 02:36 PM, Emiliano Fausto wrote:
>> >>
>> >> Great,
>> >>
>> >> so, the pre-processors are "chained" by default, and the order that
>> >> SNORT
>> >> follows to call them is set by the PRIORITY variable.
>> >>
>> >> Do you know where's defined this PRIORITY variable? Because I saw that
>> >> the
>> >> frag3 is being registered with PRIORITY_NETWORK, so I'd like to set the
>> >> priority of my own preprocessor as (PRIORITY_NETWORK -1).
>> >>
>> >> Thanks in advance,
>> >> Emiliano
>> >>
>> >>
>> >> 2013/12/4 Hui Cao <hcao at ...402...>
>> >>>
>> >>> sc means snort configuration. We use PRIORITY to sort the processing.
>> >>> All
>> >>> processors enabled will be called and processed based on priority. You
>> >>> have
>> >>> to rely on the code to figure out what exactly snort does.
>> >>>
>> >>> The checking is correct. You will only process rebuilt packets.
>> >>>
>> >>> Best,
>> >>> Hui.
>> >>> On 12/04/2013 02:19 PM, Emiliano Fausto wrote:
>> >>>
>> >>> Hello Hui,
>> >>>
>> >>> thanks a lot for your answer.
>> >>>
>> >>> Right now I have registered my preprocessor (let's call it
>> >>> examplePreprocess as you said, because right now I'm using the one
>> >>> provided
>> >>> with the DPX) with this line:
>> >>>
>> >>> _dpd.addPreproc(ExampleProcess, PRIORITY_TRANSPORT, 10000,
>> >>> PROTO_BIT__TCP);
>> >>>
>> >>> So, the only change is to add previous to the parameter
>> >>> ExampleProcess,
>> >>> the "sc". What does it mean? Do you know if there's any documentation
>> >>> about
>> >>> this chaining preprocesses?
>> >>>
>> >>> So, checking the flags, should be:
>> >>>
>> >>> (SFSnortPacket*)tcppacket)->flags & FLAG_REBUILT_FRAG
>> >>>
>> >>> right?
>> >>>
>> >>> Thanks again!
>> >>> Emiliano.
>> >>>
>> >>>
>> >>>
>> >>> Then, I'll have to register my own preprocessor where?
>> >>>
>> >>>
>> >>> 2013/12/4 Hui Cao <hcao at ...402...>
>> >>>>
>> >>>> Yes, it is possible. You can register you preprocessor like this:
>> >>>>
>> >>>> _dpd.addPreproc( sc, ExampleProcess, PRIORITY_TRANSPORT, You_PP_ID,
>> >>>> PROTO_BIT__IP );
>> >>>>
>> >>>> Remember check the following flag in your ExampleProcess:
>> >>>>
>> >>>> (SFSnortPacket*)ipacketp)->flags & FLAG_REBUILT_FRAG
>> >>>>
>> >>>> Best,
>> >>>> Hui.
>> >>>>
>> >>>>
>> >>>> On 12/04/2013 12:52 PM, Emiliano Fausto wrote:
>> >>>>
>> >>>> Hi everybody,
>> >>>>
>> >>>> I'm creating a new preprocessor which needs to have the whole content
>> >>>> in
>> >>>> a packet which was fragmented.
>> >>>>
>> >>>> So I thought of using the frag3 preprocessor to re-assembly the
>> >>>> packets,
>> >>>> and then, when this reassembly is done, sent it to my own
>> >>>> preprocessor.
>> >>>>
>> >>>> Do you know if this is possible? May I have the output of frag3 being
>> >>>> the input of my own preprocessor?
>> >>>>
>> >>>> Regards,
>> >>>> Emiliano.
>> >>>>
>> >>>>
>> >>>>
>> >>>>
>> >>>> ------------------------------------------------------------------------------
>> >>>> Sponsored by Intel(R) XDK
>> >>>> Develop, test and display web and hybrid apps with a single code
>> >>>> base.
>> >>>> Download it for free now!
>> >>>>
>> >>>>
>> >>>> http://pubads.g.doubleclick.net/gampad/clk?id=111408631&iu=/4140/ostg.clktrk
>> >>>>
>> >>>>
>> >>>>
>> >>>> _______________________________________________
>> >>>> Snort-devel mailing list
>> >>>> Snort-devel at lists.sourceforge.net
>> >>>> https://lists.sourceforge.net/lists/listinfo/snort-devel
>> >>>> Archive:
>> >>>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel
>> >>>>
>> >>>> Please visit http://blog.snort.org for the latest news about Snort!
>> >>>>
>> >>>>
>> >>>>
>> >>>>
>> >>>>
>> >>>> ------------------------------------------------------------------------------
>> >>>> Sponsored by Intel(R) XDK
>> >>>> Develop, test and display web and hybrid apps with a single code
>> >>>> base.
>> >>>> Download it for free now!
>> >>>>
>> >>>>
>> >>>> http://pubads.g.doubleclick.net/gampad/clk?id=111408631&iu=/4140/ostg.clktrk
>> >>>> _______________________________________________
>> >>>> Snort-devel mailing list
>> >>>> Snort-devel at lists.sourceforge.net
>> >>>> https://lists.sourceforge.net/lists/listinfo/snort-devel
>> >>>> Archive:
>> >>>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel
>> >>>>
>> >>>> Please visit http://blog.snort.org for the latest news about Snort!
>> >>>
>> >>>
>> >>>
>> >>
>> >>
>> >
>
>




More information about the Snort-devel mailing list