[Snort-devel] [snort-devel] Creating a new variable into a preprocessor and using it in the rules engine

Emiliano Fausto emiliano.fausto at ...2499...
Wed Jan 15 14:27:12 EST 2014


Update on this!

I've been doing some more testing, and I found how:
1) create a detection plugin
2) create a preprocessor

But I wasn't able to "connect" them... I mean, I'd really like to create
variables into my preprocessor, which will be translated to keywords into
the Detection Engine.

I was thinking that maybe if someone created / developed, content
modifiers, this could be something interesting to take a look at.

Regards,
Emiliano.



2014/1/13 Emiliano Fausto <emiliano.fausto at ...2499...>

> Hi all,
>
> after doing some more research on this, I think that although it could be
> a different way of facing this requirement I have, there could be a way
> developing a "Detection Plugin".
>
> Does anyone know if from my own detection plugin, I could call the
> "content" or "pcre" one?
>
> For instance, I create the detection plugin called: "givesTheUser", which
> will create these 2 variables into SNORT memory structure (user_surname and
> user_name).
>
> But inside my plugin, I'd like to use the keywords pcre or content,
> without "re-coding" them, is it possible? have anyone done something
> similar before?
>
> Thanks in advance!
> Emiliano.
>
>
> 2014/1/10 Emiliano Fausto <emiliano.fausto at ...2499...>
>
>> hi there,
>>
>> just in case. I know that I would be able to create a Detection-plugin,
>> like the tcpurg example. But the problem is that, I'd rather use the snort
>> detection engine to have the string, hex and prcre full searching features.
>>
>> It would be really hard to me, to start from the scratch doing those
>> functionality. Instead, I'll like to take advantage of them and use them as
>> the http_header does for example.
>>
>> Regards!
>> Emiliano.
>>
>>
>> 2014/1/10 Emiliano Fausto <emiliano.fausto at ...2499...>
>>
>>> Hi all!
>>>
>>> I'm developing a preprocessor which takes extra information from a
>>> packet, and I'd like that this info is sent to the global SNORT structure
>>> to be used into the rules engine.
>>>
>>> Let's suppose I have a packet with this information:
>>>
>>> |header| payload| --> Into the Payload, I have the info: Name="John",
>>> Surname="Doe".
>>>
>>> And I create two variables in the preprocessor called:
>>>
>>> user_name= payload-->Name
>>> user_surname= payload-->Surname
>>>
>>> So, I'd like to know if someone has worked with global variables so that
>>> I can create a new rule in SNORT which would be something like:
>>>
>>> alert udp $EXTERNAL_NET any -> 192.168.0.10 9090 ( user_name; content:
>>> "John"; nocase; user_surname; content: "Doe"; nocase; msg: "John Does has
>>> logged in to the system"; sid: 12345678; rev: 1; )
>>>
>>> Thanks in advance,
>>> Emiliano.
>>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20140115/5eeeb659/attachment.html>


More information about the Snort-devel mailing list