[Snort-devel] how to use stream5 reassembler to reassemble tcp packet?

Mitesh Jadia mitesh.jadia at ...2499...
Thu Nov 6 08:22:39 EST 2014


Yes you can use _dpd.streamAPI->register_paf_port function.

you can see it's simplest example in snort_ftptelnet.c
it is like..
_dpd.streamAPI->register_paf_port(sc, policy_id, (uint16_t)i, true,
ftp_paf, false);

This function just finds last \n character in available buffer and flushes
all bytes including last \n byte found.

ftp_paf function is registered for traffic comming on port called i(3rd
argument) here. So for each packet this ftp_paf function will be called.
you do not have to worry about out-of-order packets, you will get all
packets in session sequentially.

There are some return values for this callback function which you need to
understand. They are like
PAF_FLUSH -- It sets the flush point in session. Stream6 will flush
automatically flush stream (data upto your registered flush point)
PAF_ABORT -- Stops calling callback function after current packet on
session.
PAF_SEARCH -- Default return value should be this one. when PAF_SEARCH is
returned stream6 understands that called needs more packets to identify fp
on this session. So it will continue sending each packets to callback
function.
...

Regards,
Mitesh Jadia

On Thu, Nov 6, 2014 at 6:25 PM, Mohiuddin Ebna Kawsar <
mohiuddin.kawsar at ...2499...> wrote:

> Hi,
>
> I am trying to build a dynamic-preprocessor for snort.I need to reassemble
> TCP packet in specific case. can i use stream5 preprocessor for this?
> if yes, how?
> is there any example..
>
> waiting for your answer.....
>
>
> Regards
> Kawsar
>
>
>
> ------------------------------------------------------------------------------
>
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
> Archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel
>
> Please visit http://blog.snort.org for the latest news about Snort!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20141106/a676722e/attachment.html>


More information about the Snort-devel mailing list