[Snort-devel] How to get packet's from my host to server in snort

Ed Borgoyn (eborgoyn) eborgoyn at ...3461...
Thu Aug 13 10:19:04 EDT 2015


Hello Kawsar,
  Can you provide any additional details of your situation?  Are you saying that the preprocessor is only seeing one side of the TCP conversation?  Is Snort seeing both sides of the traffic?

  For example, the HTTP_INSPECT preprocessor can examine/process both the client (to port 80/443) and server (from port 80/443) packets.  Have you modeled you new preprocessor after an existing dynamic preprocessor?

    Best Regards,
    Ed Borgoyn
    Cisco Snort Development Team


From: Mohiuddin Ebna Kawsar <mohiuddin.kawsar at ...2499...<mailto:mohiuddin.kawsar at ...2499...>>
Date: Wednesday, August 12, 2015 at 8:45 AM
To: "snort-devel at lists.sourceforge.net<mailto:snort-devel at ...362....net>" <snort-devel at lists.sourceforge.net<mailto:snort-devel at ...2763...rge.net>>
Subject: [Snort-devel] How to get packet's from my host to server in snort

Hi,

I am developing a dynamic-preprocessor for which i have to look inside each packet is that redirect or not.
If the packet contains HTTP redirect then get the domain and follow the
redirected tcp stream.

For this i need to access header of HTTP GET request packet from my host to server to check Host value is same as redirected domain.
But my snort preprocessor gets packet only from port 80/443, not to 80/443 from my host.

Is there any way?

Regards
Kawsar
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20150813/0611e9e0/attachment.html>


More information about the Snort-devel mailing list