[Snort-devel] [snort-devel] Chainning pre-processors

Emiliano Fausto emiliano.fausto at ...2499...
Wed Dec 4 15:17:05 EST 2013


Hui,

yes, I understood what you told me about filtering just the de-fragmented
packets, that's why I added these 3 lines:

SFSnortPacket *p = (SFSnortPacket *)pkt;
int fla = (p->flags & FLAG_REBUILT_FRAG);
_dpd.logMsg("Flags set? %d",fla);

But I generate fragmented packets (which for instance Wireshark detects and
show as fragmented and the possibility of reassembly them) and I'm always
getting with each one the output: "Flags set? 0".

I receive all the fragmented packets, but not the last one reassembled.

Regards,
Emiliano.


2013/12/4 Hui Cao <hcao at ...402...>

> It will still get all packets including the raw packets. You need to
> use packet flags to filter them.
>
> Best,
> Hui.
>
> On Wed, Dec 4, 2013 at 3:00 PM, Emiliano Fausto
> <emiliano.fausto at ...2499...> wrote:
> > Yes,
> >
> > that's what I thought, but for some reason the TCP packets keep on coming
> > fragmented to my preprocessor.
> >
> > No I took off all the preprocessors and just let the frag3 and mines,
> I'll
> > try to figure out if they are called in the correct order, but they are
> not
> > being chained.
> >
> > Thanks,
> > Emiliano.
> >
> >
> > 2013/12/4 Hui Cao <hcao at ...402...>
> >>
> >> It looks good to me.
> >>
> >> Best,
> >> Hui.
> >>
> >> On Wed, Dec 4, 2013 at 2:44 PM, Emiliano Fausto
> >> <emiliano.fausto at ...2499...> wrote:
> >> > Hi Hui,
> >> >
> >> > I've seen that I was using PRIORITY_TRANSPORT, which is lower than the
> >> > PRIORITY_NETWORK that uses frag3.
> >> >
> >> > Anyway, I put the priority: PRIORITY_LAST to my own preprocessor, but
> >> > when
> >> > the TCP packets keep arriving fragmented to my preprocessor.
> >> >
> >> > Is there anything else I should take into account?
> >> >
> >> > Thanks in advance,
> >> > Emiliano.
> >> >
> >> >
> >> > 2013/12/4 Hui Cao <hcao at ...402...>
> >> >>
> >> >> In sr/preprocids.h
> >> >>
> >> >> Best,
> >> >> Hui.
> >> >>
> >> >> On 12/04/2013 02:36 PM, Emiliano Fausto wrote:
> >> >>
> >> >> Great,
> >> >>
> >> >> so, the pre-processors are "chained" by default, and the order that
> >> >> SNORT
> >> >> follows to call them is set by the PRIORITY variable.
> >> >>
> >> >> Do you know where's defined this PRIORITY variable? Because I saw
> that
> >> >> the
> >> >> frag3 is being registered with PRIORITY_NETWORK, so I'd like to set
> the
> >> >> priority of my own preprocessor as (PRIORITY_NETWORK -1).
> >> >>
> >> >> Thanks in advance,
> >> >> Emiliano
> >> >>
> >> >>
> >> >> 2013/12/4 Hui Cao <hcao at ...402...>
> >> >>>
> >> >>> sc means snort configuration. We use PRIORITY to sort the
> processing.
> >> >>> All
> >> >>> processors enabled will be called and processed based on priority.
> You
> >> >>> have
> >> >>> to rely on the code to figure out what exactly snort does.
> >> >>>
> >> >>> The checking is correct. You will only process rebuilt packets.
> >> >>>
> >> >>> Best,
> >> >>> Hui.
> >> >>> On 12/04/2013 02:19 PM, Emiliano Fausto wrote:
> >> >>>
> >> >>> Hello Hui,
> >> >>>
> >> >>> thanks a lot for your answer.
> >> >>>
> >> >>> Right now I have registered my preprocessor (let's call it
> >> >>> examplePreprocess as you said, because right now I'm using the one
> >> >>> provided
> >> >>> with the DPX) with this line:
> >> >>>
> >> >>> _dpd.addPreproc(ExampleProcess, PRIORITY_TRANSPORT, 10000,
> >> >>> PROTO_BIT__TCP);
> >> >>>
> >> >>> So, the only change is to add previous to the parameter
> >> >>> ExampleProcess,
> >> >>> the "sc". What does it mean? Do you know if there's any
> documentation
> >> >>> about
> >> >>> this chaining preprocesses?
> >> >>>
> >> >>> So, checking the flags, should be:
> >> >>>
> >> >>> (SFSnortPacket*)tcppacket)->flags & FLAG_REBUILT_FRAG
> >> >>>
> >> >>> right?
> >> >>>
> >> >>> Thanks again!
> >> >>> Emiliano.
> >> >>>
> >> >>>
> >> >>>
> >> >>> Then, I'll have to register my own preprocessor where?
> >> >>>
> >> >>>
> >> >>> 2013/12/4 Hui Cao <hcao at ...402...>
> >> >>>>
> >> >>>> Yes, it is possible. You can register you preprocessor like this:
> >> >>>>
> >> >>>> _dpd.addPreproc( sc, ExampleProcess, PRIORITY_TRANSPORT, You_PP_ID,
> >> >>>> PROTO_BIT__IP );
> >> >>>>
> >> >>>> Remember check the following flag in your ExampleProcess:
> >> >>>>
> >> >>>> (SFSnortPacket*)ipacketp)->flags & FLAG_REBUILT_FRAG
> >> >>>>
> >> >>>> Best,
> >> >>>> Hui.
> >> >>>>
> >> >>>>
> >> >>>> On 12/04/2013 12:52 PM, Emiliano Fausto wrote:
> >> >>>>
> >> >>>> Hi everybody,
> >> >>>>
> >> >>>> I'm creating a new preprocessor which needs to have the whole
> content
> >> >>>> in
> >> >>>> a packet which was fragmented.
> >> >>>>
> >> >>>> So I thought of using the frag3 preprocessor to re-assembly the
> >> >>>> packets,
> >> >>>> and then, when this reassembly is done, sent it to my own
> >> >>>> preprocessor.
> >> >>>>
> >> >>>> Do you know if this is possible? May I have the output of frag3
> being
> >> >>>> the input of my own preprocessor?
> >> >>>>
> >> >>>> Regards,
> >> >>>> Emiliano.
> >> >>>>
> >> >>>>
> >> >>>>
> >> >>>>
> >> >>>>
> ------------------------------------------------------------------------------
> >> >>>> Sponsored by Intel(R) XDK
> >> >>>> Develop, test and display web and hybrid apps with a single code
> >> >>>> base.
> >> >>>> Download it for free now!
> >> >>>>
> >> >>>>
> >> >>>>
> http://pubads.g.doubleclick.net/gampad/clk?id=111408631&iu=/4140/ostg.clktrk
> >> >>>>
> >> >>>>
> >> >>>>
> >> >>>> _______________________________________________
> >> >>>> Snort-devel mailing list
> >> >>>> Snort-devel at lists.sourceforge.net
> >> >>>> https://lists.sourceforge.net/lists/listinfo/snort-devel
> >> >>>> Archive:
> >> >>>>
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel
> >> >>>>
> >> >>>> Please visit http://blog.snort.org for the latest news about
> Snort!
> >> >>>>
> >> >>>>
> >> >>>>
> >> >>>>
> >> >>>>
> >> >>>>
> ------------------------------------------------------------------------------
> >> >>>> Sponsored by Intel(R) XDK
> >> >>>> Develop, test and display web and hybrid apps with a single code
> >> >>>> base.
> >> >>>> Download it for free now!
> >> >>>>
> >> >>>>
> >> >>>>
> http://pubads.g.doubleclick.net/gampad/clk?id=111408631&iu=/4140/ostg.clktrk
> >> >>>> _______________________________________________
> >> >>>> Snort-devel mailing list
> >> >>>> Snort-devel at lists.sourceforge.net
> >> >>>> https://lists.sourceforge.net/lists/listinfo/snort-devel
> >> >>>> Archive:
> >> >>>>
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel
> >> >>>>
> >> >>>> Please visit http://blog.snort.org for the latest news about
> Snort!
> >> >>>
> >> >>>
> >> >>>
> >> >>
> >> >>
> >> >
> >
> >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20131204/34bf0952/attachment.html>


More information about the Snort-devel mailing list