[Snort-devel] Dynamic Preprocessor does not alert and capture packet

Big Whale d0lph1n98 at ...398...
Thu Jul 9 10:41:02 EDT 2015


The preprocessor can be loaded but in ModSecProcess() function, the preprocessor supposed to output the alert if the packet matched port 80. But it does not works, so i thought the problem could be the preprocessor rules. I already tried config autogenerate_preprocessor_decoder_rules in snort.conf and define the preprocessor alert generator id in the preprocessor_rules. Yet everything does not seems to work like it supposed to. I am building my preprocessor based on SSH preprocessor. Why don't you try compile and run it locally so you can experience what kind of problem it is. 


     On Thursday, July 9, 2015 8:56 PM, Hui cao <huica at ...3461...> wrote:
   

  Hi Big Whale,
 
 Can you describe in detail what works and what not? Which decoder rule? Have you seen the rule get triggered in your preprocessor? Again, SSH preprocessor has example how to generate a preprocessor alert.
 
 Best,
 Hui.
 
 On 07/09/2015 12:46 AM, Big Whale wrote:
  
 
 I already add "config autogenerate_preprocessor_decoder_rules" in my snort.conf file and put the plugin's alerts in the preprocessor.rules and gen-msg.map. But still no alert from my preprocessor. The preprocessor loaded correctly.
   
  
 ------------------------------------------------------------------------------
Don't Limit Your Business. Reach for the Cloud.
GigeNET's Cloud Solutions provide you with the tools and support that
you need to offload your IT needs and focus on growing your business.
Configured For All Businesses. Start Your Cloud Today.
https://www.gigenetcloud.com/ 
  
 _______________________________________________
Snort-devel mailing list
Snort-devel at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort! 
 
------------------------------------------------------------------------------
Don't Limit Your Business. Reach for the Cloud.
GigeNET's Cloud Solutions provide you with the tools and support that
you need to offload your IT needs and focus on growing your business.
Configured For All Businesses. Start Your Cloud Today.
https://www.gigenetcloud.com/
_______________________________________________
Snort-devel mailing list
Snort-devel at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!

   
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20150709/329973ed/attachment.html>


More information about the Snort-devel mailing list