[Snort-devel] ruletype declaration breaks u2 output for log_uri/log_hostname (with testcase)

Martijn van Oosterhout kleptog at ...2499...
Fri Jun 13 08:57:44 EDT 2014


And I've found the root cause of the problem. Basically it's this code in
src/preprocessors/spp_stream5.c:

static void Stream5RegisterXtraDataLog(LogExtraData f, void *config)
{
    extra_data_log = f;
    extra_data_config = config;
}

Basically, the way this code is written there can only be a single output
plugin that gets the extra data. And it will be the last plugin that calls
this function to register itself.

The registration happens in
src/output-plugins/spo_unified2.c:Unified2PostConfig() so happens for any
unified2 output, no matter how you configure it.

I noticed this because there was data being logged to the snort.testing.u2
logfile even though no rules matched. What happens is that the extra data
will always be logged to the *last* custom ruletype that defines a unified2
output. Because of the way ConfigureOutputPlugins() is written there is no
way to give priority to the main output plugins.

Basically, I think the way this is done is wrong and the extra data
callback should be handled the same as the output plugins and should be
stored in the ListHead. That's the only way to ensure that the extra data
ends up in the same file as the alert and packet.

Hope this makes everything clearer.
-- 
Martijn van Oosterhout <kleptog at ...2499...> http://svana.org/kleptog/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20140613/a72a9766/attachment.html>


More information about the Snort-devel mailing list