[Snort-devel] Dynamic Preprocessor does not alert and capture packet

Hui cao huica at ...3461...
Thu Jul 9 10:50:49 EDT 2015


Try to run gdb if you have the binary, and set breakpoint at 
ModSecProcess(), and step through. Here are steps to use gdb 
(http://cs.baylor.edu/~donahoo/tools/gdb/tutorial.html)

FYI...your code won't compile. You have the following function defined 
inside function ModSecProcess(void *pkt, void *context).

void removeSubstr(char *string, char *sub) {
         char *match = string;
         int len = strlen(sub);
         while((match = strstr(match, sub))) {
             *match = '\0';
             strcat(string, match+len);
             match++;
         }
     }

Best,
Hui.
On 07/09/2015 10:41 AM, Big Whale wrote:
> The preprocessor can be loaded but in ModSecProcess() function, the 
> preprocessor supposed to output the alert if the packet matched port 
> 80. But it does not works, so i thought the problem could be the 
> preprocessor rules. I already tried config 
> autogenerate_preprocessor_decoder_rules in snort.conf and define the 
> preprocessor alert generator id in the preprocessor_rules. Yet 
> everything does not seems to work like it supposed to. I am building 
> my preprocessor based on SSH preprocessor. Why don't you try compile 
> and run it locally so you can experience what kind of problem it is.
>
>
>
> On Thursday, July 9, 2015 8:56 PM, Hui cao <huica at ...3461...> wrote:
>
>
> Hi Big Whale,
>
> Can you describe in detail what works and what not? Which decoder 
> rule? Have you seen the rule get triggered in your preprocessor? 
> Again, SSH preprocessor has example how to generate a preprocessor alert.
>
> Best,
> Hui.
>
> On 07/09/2015 12:46 AM, Big Whale wrote:
> I already add "config autogenerate_preprocessor_decoder_rules" in my 
> snort.conf file and put the plugin's alerts in the preprocessor.rules 
> and gen-msg.map. But still no alert from my preprocessor. The 
> preprocessor loaded correctly.
>
>
> ------------------------------------------------------------------------------
> Don't Limit Your Business. Reach for the Cloud.
> GigeNET's Cloud Solutions provide you with the tools and support that
> you need to offload your IT needs and focus on growing your business.
> Configured For All Businesses. Start Your Cloud Today.
> https://www.gigenetcloud.com/
>
>
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net  <mailto:Snort-devel at lists.sourceforge.net>
> https://lists.sourceforge.net/lists/listinfo/snort-devel
> Archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel
>
> Please visithttp://blog.snort.org  <http://blog.snort.org/>  for the latest news about Snort!
>
>
> ------------------------------------------------------------------------------
> Don't Limit Your Business. Reach for the Cloud.
> GigeNET's Cloud Solutions provide you with the tools and support that
> you need to offload your IT needs and focus on growing your business.
> Configured For All Businesses. Start Your Cloud Today.
> https://www.gigenetcloud.com/
>
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net 
> <mailto:Snort-devel at lists.sourceforge.net>
> https://lists.sourceforge.net/lists/listinfo/snort-devel
> Archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel
>
> Please visit http://blog.snort.org <http://blog.snort.org/>for the 
> latest news about Snort!
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20150709/73de524e/attachment.html>


More information about the Snort-devel mailing list