[Snort-devel] unified2 extra data - howto

Michal Keníž michalkeniz at ...2499...
Wed Mar 25 18:35:01 EDT 2015


Hello,

I am currently developing a snort dynamic preprocessor. I would like* to
log some additional data to the unified2-extra field *as described here
http://manual.snort.org/node44.html#SECTION00637000000000000000 .

I couldn't find any howtos or documentation about this topic, so I tried to
figure it out by inspecting the smtp preprocessor which uses the extra data
field (as can be seen here https://www.snort.org/faq/readme-unified2).

I thought it should be enough if i use the following code:

   - Init function ~


*static void Init(struct _SnortConfig *sc, char *args){*
*//basic init stufff ~ config and registering*

*config->xtra_funkcion_id =
_dpd.streamAPI->reg_xtra_data_cb(CallBackFunctionUnified2);*
*}*

   - CallBackfunction ~

*int CallBackFunctionUnified2(void *data, uint8_t **buf, uint32_t *len,
uint32_t *type)*{

*_dpd.logMsg("Npcusum: JUST TRYING IF THIS FUNCTION IS CALLED WHILE TRAFFIC
PROCESSING \n");*
* return 0;*
}

   - Packet processing ~


*static void ProcessPacket(void *pkt, void *context)*
*// not important stuff.*
*    if ((p->tcp_header->flags & TCPHEADER_FIN) == TCPHEADER_FIN) { // just
packets with FIN flag*
*        config->userdata.fin_count = config->userdata.fin_count + 1;*
* _dpd.logMsg("Npcusum: JUST TRYING TO LOG SOMETHING :\n"); *
* _dpd.streamAPI->set_extra_data(p->stream_session, p,
config->xtra_funkcion_id);*
*    }*
*// not important stuff.*

But this doesn't work, no log message is displayed (so the function is not
called at all).

Would it be possible to give me some info/guidlines about using the
unified2 extra data field in a new dynamic preprocessor - a basic example
(maybe an extension of the snort example preprocessor?), or just a list of
requirements I do have to fullfill for it to work.

Thank you for your time,

best regards Michal

-- 
Carpe Diem
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20150325/0b22093a/attachment.html>


More information about the Snort-devel mailing list