[Snort-devel] Dynamic Preprocessor does not alert and capture packet

Russ rucombs at ...3461...
Thu Jul 9 21:53:12 EDT 2015


Do have a Snort question?  If you need general help with development, 
there are more suitable venues like stackoverflow.com. We really don't 
have the bandwidth to walk you through your project step by step.  
However, if you take the time to build and step through the dynamic 
preprocessor example (https://www.snort.org/documents/dpx-readme), you 
will see an event generated in a much simpler piece of code than ssh.  
If dpx gives you trouble, let us know.

Russ

On 7/9/15 9:24 PM, Big Whale wrote:
> Are you sure? It worked in my machine. Well if it's bothering you, you 
> can just commented out that function as it is useless for now.
>
>
>
> On Thursday, July 9, 2015 10:51 PM, Hui cao <huica at ...3461...> wrote:
>
>
> Try to run gdb if you have the binary, and set breakpoint at 
> ModSecProcess(), and step through. Here are steps to use gdb 
> (http://cs.baylor.edu/~donahoo/tools/gdb/tutorial.html 
> <http://cs.baylor.edu/%7Edonahoo/tools/gdb/tutorial.html>)
>
> FYI...your code won't compile. You have the following function defined 
> inside function ModSecProcess(void *pkt, void *context).
>
> void removeSubstr(char *string, char *sub) {
>         char *match = string;
>         int len = strlen(sub);
>         while((match = strstr(match, sub))) {
>             *match = '\0';
>             strcat(string, match+len);
>             match++;
>         }
>     }
>
> Best,
> Hui.
> On 07/09/2015 10:41 AM, Big Whale wrote:
> The preprocessor can be loaded but in ModSecProcess() function, the 
> preprocessor supposed to output the alert if the packet matched port 
> 80. But it does not works, so i thought the problem could be the 
> preprocessor rules. I already tried config 
> autogenerate_preprocessor_decoder_rules in snort.conf and define the 
> preprocessor alert generator id in the preprocessor_rules. Yet 
> everything does not seems to work like it supposed to. I am building 
> my preprocessor based on SSH preprocessor. Why don't you try compile 
> and run it locally so you can experience what kind of problem it is.
>
>
>
> On Thursday, July 9, 2015 8:56 PM, Hui cao <huica at ...3461...> 
> <mailto:huica at ...3461...> wrote:
>
>
> Hi Big Whale,
>
> Can you describe in detail what works and what not? Which decoder 
> rule? Have you seen the rule get triggered in your preprocessor? 
> Again, SSH preprocessor has example how to generate a preprocessor alert.
>
> Best,
> Hui.
>
> On 07/09/2015 12:46 AM, Big Whale wrote:
> I already add "config autogenerate_preprocessor_decoder_rules" in my 
> snort.conf file and put the plugin's alerts in the preprocessor.rules 
> and gen-msg.map. But still no alert from my preprocessor. The 
> preprocessor loaded correctly.
>
>
> ------------------------------------------------------------------------------
> Don't Limit Your Business. Reach for the Cloud.
> GigeNET's Cloud Solutions provide you with the tools and support that
> you need to offload your IT needs and focus on growing your business.
> Configured For All Businesses. Start Your Cloud Today.
> https://www.gigenetcloud.com/
>
>
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net  <mailto:Snort-devel at lists.sourceforge.net>
> https://lists.sourceforge.net/lists/listinfo/snort-devel
> Archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel
>
> Please visithttp://blog.snort.org  <http://blog.snort.org/>  for the latest news about Snort!
>
>
> ------------------------------------------------------------------------------
> Don't Limit Your Business. Reach for the Cloud.
> GigeNET's Cloud Solutions provide you with the tools and support that
> you need to offload your IT needs and focus on growing your business.
> Configured For All Businesses. Start Your Cloud Today.
> https://www.gigenetcloud.com/
>
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net 
> <mailto:Snort-devel at lists.sourceforge.net>
> https://lists.sourceforge.net/lists/listinfo/snort-devel
> Archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel
>
> Please visit http://blog.snort.org <http://blog.snort.org/>for the 
> latest news about Snort!
>
>
>
>
>
>
>
> ------------------------------------------------------------------------------
> Don't Limit Your Business. Reach for the Cloud.
> GigeNET's Cloud Solutions provide you with the tools and support that
> you need to offload your IT needs and focus on growing your business.
> Configured For All Businesses. Start Your Cloud Today.
> https://www.gigenetcloud.com/
>
>
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
> Archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel
>
> Please visit http://blog.snort.org for the latest news about Snort!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20150709/b593ae0e/attachment.html>


More information about the Snort-devel mailing list