[Snort-devel] Writing a dynamic rules
pmullen at ...402...
Mon Nov 11 11:49:29 EST 2013
Before I offer assistance, I want to clarify terms a bit --
Are you looking to write a shared object rule, using C to create
detection? Or are you trying to write a rule option where you are
trying to create a new rule option that can be used in text rules
If you're trying to write a shared object rule, I recommend using the
SO Generator located on http://vrt.snort.org. Unfortunately, I just
discovered that the sip_* options are not currently handled (added to
my todo list now) but what you can do is use the dce_* options as
analogues to get the information you need on how to set up the
structures. Just substitute the "dce" names in the structures with
the relevant "sip" names and you should be good to go.
This example rule will set up similar structures you can modify and
use in what you're writing --
alert tcp any any -> any any (msg:"test"; flow:to_client,established;
dce_opnum:10; dce_stub_data; content:"hello"; classtype:misc-activity;
dce_opnum would be very similar to what you would do for sip_method
dce_stub_data would be very similar to what you would do for sip_body
and sip_header (they both work like file_data, as opposed to being an
option to contentMatch like http_header, http_uri, etc).
Hope this helps.
On Sun, Nov 10, 2013 at 12:51 AM, donfack zeufack hermann
<donfack.hermann at ...2499...> wrote:
> First of all sorry for my english, and if my question is trivial and i'm
> new in SNORT development and i just try my best to understand it.
> I need to write a dynamic rule plugin for the SIP packet, I have also
> read all code of SIP dynamic preprocessor and understand how it work.
> But I have a problem, How can I use the preprocessorOption define in the
> sf_snort_plugin_api to use SIP Rule Option defined by the SIP dynamic
> preprocessor ?
> is it even possible ?
> If it is not possible, can you give me a little example how to use the
> preprocessorOption ?
> Thanks in advance your help.
> November Webinars for C, C++, Fortran Developers
> Accelerate application performance with scalable programming models. Explore
> techniques for threading, error checking, porting, and tuning. Get the most
> from the latest Intel processors and coprocessors. See abstracts and register
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> Please visit http://blog.snort.org for the latest news about Snort!
Response Research Manager
More information about the Snort-devel