[Snort-devel] Dynamic Preprocessor does not alert and capture packet

Russ rucombs at ...3461...
Thu Jul 9 22:21:26 EDT 2015



On 7/9/15 10:09 PM, Big Whale wrote:
> I believe there are already dynamic preprocessor template in the 
> Snort's source code, just like dpx's code and i believe the problem in 
> my config file. Snort seems like no recognizing the preprocessor 
> generator id or whatever it is. Thanks anyway
>
That, and all the other problems you have encountered, are demonstrated 
by dpx.

Good luck.
Russ
>
>
> On Friday, July 10, 2015 9:53 AM, Russ <rucombs at ...3461...> wrote:
>
>
> Do have a Snort question?  If you need general help with development, 
> there are more suitable venues like stackoverflow.com.  We really 
> don't have the bandwidth to walk you through your project step by 
> step.  However, if you take the time to build and step through the 
> dynamic preprocessor example 
> (https://www.snort.org/documents/dpx-readme), you will see an event 
> generated in a much simpler piece of code than ssh.  If dpx gives you 
> trouble, let us know.
>
> Russ
>
> On 7/9/15 9:24 PM, Big Whale wrote:
> Are you sure? It worked in my machine. Well if it's bothering you, you 
> can just commented out that function as it is useless for now.
>
>
>
> On Thursday, July 9, 2015 10:51 PM, Hui cao <huica at ...3461...> 
> <mailto:huica at ...3461...> wrote:
>
>
> Try to run gdb if you have the binary, and set breakpoint at 
> ModSecProcess(), and step through. Here are steps to use gdb 
> (http://cs.baylor.edu/~donahoo/tools/gdb/tutorial.html 
> <http://cs.baylor.edu/%7Edonahoo/tools/gdb/tutorial.html>)
>
> FYI...your code won't compile. You have the following function defined 
> inside function ModSecProcess(void *pkt, void *context).
>
> void removeSubstr(char *string, char *sub) {
>         char *match = string;
>         int len = strlen(sub);
>         while((match = strstr(match, sub))) {
>             *match = '\0';
>             strcat(string, match+len);
>             match++;
>         }
>     }
>
> Best,
> Hui.
> On 07/09/2015 10:41 AM, Big Whale wrote:
> The preprocessor can be loaded but in ModSecProcess() function, the 
> preprocessor supposed to output the alert if the packet matched port 
> 80. But it does not works, so i thought the problem could be the 
> preprocessor rules. I already tried config 
> autogenerate_preprocessor_decoder_rules in snort.conf and define the 
> preprocessor alert generator id in the preprocessor_rules. Yet 
> everything does not seems to work like it supposed to. I am building 
> my preprocessor based on SSH preprocessor. Why don't you try compile 
> and run it locally so you can experience what kind of problem it is.
>
>
>
> On Thursday, July 9, 2015 8:56 PM, Hui cao <huica at ...3461...> 
> <mailto:huica at ...3461...> wrote:
>
>
> Hi Big Whale,
>
> Can you describe in detail what works and what not? Which decoder 
> rule? Have you seen the rule get triggered in your preprocessor? 
> Again, SSH preprocessor has example how to generate a preprocessor alert.
>
> Best,
> Hui.
>
> On 07/09/2015 12:46 AM, Big Whale wrote:
> I already add "config autogenerate_preprocessor_decoder_rules" in my 
> snort.conf file and put the plugin's alerts in the preprocessor.rules 
> and gen-msg.map. But still no alert from my preprocessor. The 
> preprocessor loaded correctly.
>
>
> ------------------------------------------------------------------------------
> Don't Limit Your Business. Reach for the Cloud.
> GigeNET's Cloud Solutions provide you with the tools and support that
> you need to offload your IT needs and focus on growing your business.
> Configured For All Businesses. Start Your Cloud Today.
> https://www.gigenetcloud.com/
>
>
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net  <mailto:Snort-devel at lists.sourceforge.net>
> https://lists.sourceforge.net/lists/listinfo/snort-devel
> Archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel
>
> Please visithttp://blog.snort.org  <http://blog.snort.org/>  for the latest news about Snort!
>
>
> ------------------------------------------------------------------------------
> Don't Limit Your Business. Reach for the Cloud.
> GigeNET's Cloud Solutions provide you with the tools and support that
> you need to offload your IT needs and focus on growing your business.
> Configured For All Businesses. Start Your Cloud Today.
> https://www.gigenetcloud.com/
>
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net 
> <mailto:Snort-devel at lists.sourceforge.net>
> https://lists.sourceforge.net/lists/listinfo/snort-devel
> Archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel
>
> Please visit http://blog.snort.org <http://blog.snort.org/>for the 
> latest news about Snort!
>
>
>
>
>
>
>
> ------------------------------------------------------------------------------
> Don't Limit Your Business. Reach for the Cloud.
> GigeNET's Cloud Solutions provide you with the tools and support that
> you need to offload your IT needs and focus on growing your business.
> Configured For All Businesses. Start Your Cloud Today.
> https://www.gigenetcloud.com/
>
>
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net  <mailto:Snort-devel at lists.sourceforge.net>
> https://lists.sourceforge.net/lists/listinfo/snort-devel
> Archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel
>
> Please visithttp://blog.snort.org  <http://blog.snort.org/>  for the latest news about Snort!
>
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20150709/35309c99/attachment.html>


More information about the Snort-devel mailing list