[Snort-devel] unified2 extra data - howto

Pablo Cantos Polaino pcantos at ...3500...
Thu Mar 26 04:07:28 EDT 2015


Hi Michal,

I'm working on including some extra data fields related to files captured
by Snort. For that, I'm using the new and experimental File preprocessor
and modifying some pieces of code. Until now, I managed to include in
snort.log.<timestamp> files the extra data which I was interested on. I
hope I could share it shortly.

I would recommend you to put the following line:

p->xtradata_mask |= BIT(config->xtra_funkcion_id);


instead of:

_dpd.streamAPI->set_extra_data(p->stream_session, p,
> config->xtra_funkcion_id);


If this doesn't work, could you use gdb to be sure the
CallBackFunctionUnified2 function is been called?

Best Regards,

Pablo Cantos
redborder.org / pcantos at ...3500...

2015-03-25 23:35 GMT+01:00 Michal Keníž <michalkeniz at ...2499...>:

> Hello,
>
> I am currently developing a snort dynamic preprocessor. I would like* to
> log some additional data to the unified2-extra field *as described here
> http://manual.snort.org/node44.html#SECTION00637000000000000000 .
>
> I couldn't find any howtos or documentation about this topic, so I tried
> to figure it out by inspecting the smtp preprocessor which uses the extra
> data field (as can be seen here https://www.snort.org/faq/readme-unified2
> ).
>
> I thought it should be enough if i use the following code:
>
>    - Init function ~
>
>
> *static void Init(struct _SnortConfig *sc, char *args){*
> *//basic init stufff ~ config and registering*
>
> *config->xtra_funkcion_id =
> _dpd.streamAPI->reg_xtra_data_cb(CallBackFunctionUnified2);*
> *}*
>
>    - CallBackfunction ~
>
> *int CallBackFunctionUnified2(void *data, uint8_t **buf, uint32_t *len,
> uint32_t *type)*{
>
> *_dpd.logMsg("Npcusum: JUST TRYING IF THIS FUNCTION IS CALLED WHILE
> TRAFFIC PROCESSING \n");*
> * return 0;*
> }
>
>    - Packet processing ~
>
>
> *static void ProcessPacket(void *pkt, void *context)*
> *// not important stuff.*
> *    if ((p->tcp_header->flags & TCPHEADER_FIN) == TCPHEADER_FIN) { //
> just packets with FIN flag*
> *        config->userdata.fin_count = config->userdata.fin_count + 1;*
> * _dpd.logMsg("Npcusum: JUST TRYING TO LOG SOMETHING :\n"); *
> * _dpd.streamAPI->set_extra_data(p->stream_session, p,
> config->xtra_funkcion_id);*
> *    }*
> *// not important stuff.*
>
> But this doesn't work, no log message is displayed (so the function is not
> called at all).
>
> Would it be possible to give me some info/guidlines about using the
> unified2 extra data field in a new dynamic preprocessor - a basic example
> (maybe an extension of the snort example preprocessor?), or just a list of
> requirements I do have to fullfill for it to work.
>
> Thank you for your time,
>
> best regards Michal
>
> --
> Carpe Diem
>
>
> ------------------------------------------------------------------------------
> Dive into the World of Parallel Programming The Go Parallel Website,
> sponsored
> by Intel and developed in partnership with Slashdot Media, is your hub for
> all
> things parallel software development, from weekly thought leadership blogs
> to
> news, videos, case studies, tutorials and more. Take a look and join the
> conversation now. http://goparallel.sourceforge.net/
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
> Archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel
>
> Please visit http://blog.snort.org for the latest news about Snort!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20150326/cdcf9a04/attachment.html>


More information about the Snort-devel mailing list