[Snort-devel] Preprocessor's process function not called due to wrong pp_enabled masks
matthias.wuebbeling at ...3568...
Tue Jun 28 14:17:29 EDT 2016
I experience some problems developing a dynamic preprocessor (it works
fine with Snort <= 126.96.36.199 but there are some issues with more recent
versions). Setup and initialization pass without any problems but the
process function itself is never called. I've seen emails regarding the
same or a similar problem, they just got no answer.
I started digging into it (using Snort version 188.8.131.52) and found out,
that the process function is not called as the pp_enabled bitmask (of
the policy) has never been set for any port,
IsPreprocessorEnabled(p,ppn->preproc_bit) fails in src/detect.c:140.
*This seems odd to me*.
After adding the following lines of code to plugbase.c (line 989 ff) the
pp's process function is called as desired.
989 uint32_t port;
990 for( port = 0; port < MAX_PORTS; port++ )
991 p->pp_enabled[ port ] |= ( UINT64_C(1) << node->preproc_id );
The dynamic-preprocessors contained in the source release rely on the
session or stream5 API (both are not dynamic). In
preprocessors/spp_session.c the pp_enabled is set for all ports accordingly.
I tried to set the pp_enabled bitmask directly inside my pp's
init function but there is no SnortPolicy struct defined in
the dynamic-preprocessors/include headers providing access to pp_enabled.
When including src/snort.h (it defines SnortPolicy) from my pp, this
fails due to header problems defining structs multiple times (see below)
so this is no solution to get SnortPolicy into the pp.
E.g. _CiscoMetaHdr is defined in the following files (grep output):
decode.h:typedef struct _CiscoMetaHdr
detection-plugins/sf_snort_packet.h:typedef struct _CiscoMetaHdr
dynamic-plugins/sf_engine/sf_snort_packet.h:typedef struct _CiscoMetaHdr
dynamic-preprocessors/include/sf_snort_packet.h:typedef struct _CiscoMetaHdr
So using snort.h is no opportunity.
What do you think might be the best way to set the pp_enabled bitmap
correctly? Or am I wrong? I do not really want to enable all dynamic pps
for all ports in plugbase.c but obviously, there is no other way.
Thanks in advance.
Matthias Wübbeling |Fraunhofer FKIE
Phone: +49 (228) 73-54250 |Cyber Security Department
Fax: +49 (228) 73-4571 |Friedrich-Ebert-Allee 144
matthias.wuebbeling at ...3568...|53113 Bonn, Germany
GnuPG key fingerprint: |Computer Science IV - WG IT-Security
BB6A A737 6E64 E867 24C1 |University of Bonn
A34B D7D9 0AC4 4E38 E7B6 |Friedrich-Ebert-Allee 144, 53113 Bonn
Check: My message should be signed|https://net.cs.uni-bonn.de/wueb/
More information about the Snort-devel