[Snort-devel] How to get packet's from my host to server in snort
Ed Borgoyn (eborgoyn)
eborgoyn at ...3461...
Thu Aug 13 10:19:04 EDT 2015
Can you provide any additional details of your situation? Are you saying that the preprocessor is only seeing one side of the TCP conversation? Is Snort seeing both sides of the traffic?
For example, the HTTP_INSPECT preprocessor can examine/process both the client (to port 80/443) and server (from port 80/443) packets. Have you modeled you new preprocessor after an existing dynamic preprocessor?
Cisco Snort Development Team
From: Mohiuddin Ebna Kawsar <mohiuddin.kawsar at ...2499...<mailto:mohiuddin.kawsar at ...2499...>>
Date: Wednesday, August 12, 2015 at 8:45 AM
To: "snort-devel at lists.sourceforge.net<mailto:snort-devel at ...362....net>" <snort-devel at lists.sourceforge.net<mailto:snort-devel at ...2763...rge.net>>
Subject: [Snort-devel] How to get packet's from my host to server in snort
I am developing a dynamic-preprocessor for which i have to look inside each packet is that redirect or not.
If the packet contains HTTP redirect then get the domain and follow the
redirected tcp stream.
For this i need to access header of HTTP GET request packet from my host to server to check Host value is same as redirected domain.
But my snort preprocessor gets packet only from port 80/443, not to 80/443 from my host.
Is there any way?
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-devel