[Snort-devel] [snort-devel] Creating a new variable into a preprocessor and using it in the rules engine
emiliano.fausto at ...2499...
Mon Jan 13 15:55:01 EST 2014
after doing some more research on this, I think that although it could be a
different way of facing this requirement I have, there could be a way
developing a "Detection Plugin".
Does anyone know if from my own detection plugin, I could call the
"content" or "pcre" one?
For instance, I create the detection plugin called: "givesTheUser", which
will create these 2 variables into SNORT memory structure (user_surname and
But inside my plugin, I'd like to use the keywords pcre or content, without
"re-coding" them, is it possible? have anyone done something similar before?
Thanks in advance!
2014/1/10 Emiliano Fausto <emiliano.fausto at ...2499...>
> hi there,
> just in case. I know that I would be able to create a Detection-plugin,
> like the tcpurg example. But the problem is that, I'd rather use the snort
> detection engine to have the string, hex and prcre full searching features.
> It would be really hard to me, to start from the scratch doing those
> functionality. Instead, I'll like to take advantage of them and use them as
> the http_header does for example.
> 2014/1/10 Emiliano Fausto <emiliano.fausto at ...2499...>
>> Hi all!
>> I'm developing a preprocessor which takes extra information from a
>> packet, and I'd like that this info is sent to the global SNORT structure
>> to be used into the rules engine.
>> Let's suppose I have a packet with this information:
>> |header| payload| --> Into the Payload, I have the info: Name="John",
>> And I create two variables in the preprocessor called:
>> user_name= payload-->Name
>> user_surname= payload-->Surname
>> So, I'd like to know if someone has worked with global variables so that
>> I can create a new rule in SNORT which would be something like:
>> alert udp $EXTERNAL_NET any -> 192.168.0.10 9090 ( user_name; content:
>> "John"; nocase; user_surname; content: "Doe"; nocase; msg: "John Does has
>> logged in to the system"; sid: 12345678; rev: 1; )
>> Thanks in advance,
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-devel