[Snort-devel] Dynamic Preprocessor does not alert and capture packet

Russ rucombs at ...3461...
Thu Jul 9 11:37:56 EDT 2015



On 7/9/15 10:41 AM, Big Whale wrote:
> The preprocessor can be loaded but in ModSecProcess() function, the 
> preprocessor supposed to output the alert if the packet matched port 
> 80. But it does not works, so i thought the problem could be the 
> preprocessor rules. I already tried config 
> autogenerate_preprocessor_decoder_rules in snort.conf and define the 
> preprocessor alert generator id in the preprocessor_rules. Yet 
> everything does not seems to work like it supposed to. I am building 
> my preprocessor based on SSH preprocessor. Why don't you try compile 
> and run it locally so you can experience what kind of problem it is.
>
Why don't you grab the dpx tarball and step that code to see where you 
are going wrong?  That's what it's for.
>
> On Thursday, July 9, 2015 8:56 PM, Hui cao <huica at ...3461...> wrote:
>
>
> Hi Big Whale,
>
> Can you describe in detail what works and what not? Which decoder 
> rule? Have you seen the rule get triggered in your preprocessor? 
> Again, SSH preprocessor has example how to generate a preprocessor alert.
>
> Best,
> Hui.
>
> On 07/09/2015 12:46 AM, Big Whale wrote:
> I already add "config autogenerate_preprocessor_decoder_rules" in my 
> snort.conf file and put the plugin's alerts in the preprocessor.rules 
> and gen-msg.map. But still no alert from my preprocessor. The 
> preprocessor loaded correctly.
>
>
> ------------------------------------------------------------------------------
> Don't Limit Your Business. Reach for the Cloud.
> GigeNET's Cloud Solutions provide you with the tools and support that
> you need to offload your IT needs and focus on growing your business.
> Configured For All Businesses. Start Your Cloud Today.
> https://www.gigenetcloud.com/
>
>
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net  <mailto:Snort-devel at lists.sourceforge.net>
> https://lists.sourceforge.net/lists/listinfo/snort-devel
> Archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel
>
> Please visithttp://blog.snort.org  <http://blog.snort.org/>  for the latest news about Snort!
>
>
> ------------------------------------------------------------------------------
> Don't Limit Your Business. Reach for the Cloud.
> GigeNET's Cloud Solutions provide you with the tools and support that
> you need to offload your IT needs and focus on growing your business.
> Configured For All Businesses. Start Your Cloud Today.
> https://www.gigenetcloud.com/
>
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net 
> <mailto:Snort-devel at lists.sourceforge.net>
> https://lists.sourceforge.net/lists/listinfo/snort-devel
> Archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel
>
> Please visit http://blog.snort.org <http://blog.snort.org/>for the 
> latest news about Snort!
>
>
>
>
> ------------------------------------------------------------------------------
> Don't Limit Your Business. Reach for the Cloud.
> GigeNET's Cloud Solutions provide you with the tools and support that
> you need to offload your IT needs and focus on growing your business.
> Configured For All Businesses. Start Your Cloud Today.
> https://www.gigenetcloud.com/
>
>
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
> Archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel
>
> Please visit http://blog.snort.org for the latest news about Snort!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20150709/efd257c4/attachment.html>


More information about the Snort-devel mailing list