[Snort-devel] [snort-devel] Creating a new variable into a preprocessor and using it in the rules engine

Emiliano Fausto emiliano.fausto at ...2499...
Mon Jan 13 15:55:01 EST 2014


Hi all,

after doing some more research on this, I think that although it could be a
different way of facing this requirement I have, there could be a way
developing a "Detection Plugin".

Does anyone know if from my own detection plugin, I could call the
"content" or "pcre" one?

For instance, I create the detection plugin called: "givesTheUser", which
will create these 2 variables into SNORT memory structure (user_surname and
user_name).

But inside my plugin, I'd like to use the keywords pcre or content, without
"re-coding" them, is it possible? have anyone done something similar before?

Thanks in advance!
Emiliano.


2014/1/10 Emiliano Fausto <emiliano.fausto at ...2499...>

> hi there,
>
> just in case. I know that I would be able to create a Detection-plugin,
> like the tcpurg example. But the problem is that, I'd rather use the snort
> detection engine to have the string, hex and prcre full searching features.
>
> It would be really hard to me, to start from the scratch doing those
> functionality. Instead, I'll like to take advantage of them and use them as
> the http_header does for example.
>
> Regards!
> Emiliano.
>
>
> 2014/1/10 Emiliano Fausto <emiliano.fausto at ...2499...>
>
>> Hi all!
>>
>> I'm developing a preprocessor which takes extra information from a
>> packet, and I'd like that this info is sent to the global SNORT structure
>> to be used into the rules engine.
>>
>> Let's suppose I have a packet with this information:
>>
>> |header| payload| --> Into the Payload, I have the info: Name="John",
>> Surname="Doe".
>>
>> And I create two variables in the preprocessor called:
>>
>> user_name= payload-->Name
>> user_surname= payload-->Surname
>>
>> So, I'd like to know if someone has worked with global variables so that
>> I can create a new rule in SNORT which would be something like:
>>
>> alert udp $EXTERNAL_NET any -> 192.168.0.10 9090 ( user_name; content:
>> "John"; nocase; user_surname; content: "Doe"; nocase; msg: "John Does has
>> logged in to the system"; sid: 12345678; rev: 1; )
>>
>> Thanks in advance,
>> Emiliano.
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20140113/51763706/attachment.html>


More information about the Snort-devel mailing list