[Snort-devel] Which parameters to pass in addPreproc func?

Jan Hermes jan.hermes at ...3632...
Thu May 19 12:15:43 EDT 2016

Yes I did that, I tried a lot of combinations already actually...

At first I thought

_dpd.addPreproc(sc, SppProfinetProcess, PRIORITY_CORE, 10000, PROTO_BIT__ALL);

might be the thing to do, because

PRIORITY_CORE -> pp gets called first so should not be disabled by any other preprocessors

10000 -> I really don't know what the preproc_id is doing, so I left it as it is... Although I also tested some other values from the preprocids.h file.

PROTO_BIT__ALL -> will always evaluate to true in the detect.c function


But I now measured it down to the preproc_bits value...

Because in plugbase.h the inline comparison of the packages preprocessor bits and the preprocessors preprocessor bits evaluate to "false"...

static inline int IsPreprocessorEnabled(Packet *p, PreprocEnableMask preproc_bit)
    return ( ( p->preprocessor_bits & preproc_bit ) != 0 );

but yet I don't know where to set the preprocessors preproc_bit correctly...

On 19.05.2016 16:43, Ed Borgoyn (eborgoyn) wrote:

Have you tried registering the preproc with PROTO_BIT__ALL instead of just
UDP and/or TCP?

On 5/19/16, 8:11 AM, "Jan Hermes" <jan.hermes at ...3632...><mailto:jan.hermes at ...3632...> wrote:

I would like to let my dynamic preprocessor being called on every single
package that runs through the network. Which parameters do I have to
pass to the registration function?

I tried a lot of combinations with values from the preprocids.h file.

But the best I could get was the preconfigured situation from the
example preprocessor, which gets called on every package with tcp or udp.

But it is missing all those packages with an unknown ethertype.
Mobile security can be enabling, not merely restricting. Employees who
bring their own devices (BYOD) to work are irked by the imposition of MDM
restrictions. Mobile Device Manager Plus allows you to control only the
apps on BYO-devices by containerizing them, leaving personal data
Snort-devel mailing list
Snort-devel at lists.sourceforge.net<mailto:Snort-devel at lists.sourceforge.net>

Please visit http://blog.snort.org for the latest news about Snort!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20160519/4f5bbae1/attachment.html>

More information about the Snort-devel mailing list