<html>
  <head>
    <meta content="text/html; charset=utf-8" http-equiv="Content-Type">
  </head>
  <body text="#000000" bgcolor="#FFFFFF">
    <br>
    <br>
    <div class="moz-cite-prefix">On 7/9/15 10:09 PM, Big Whale wrote:<br>
    </div>
    <blockquote
cite="mid:1273509764.2290005.1436494195591.JavaMail.yahoo@...3559..."
      type="cite">
      <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
      <div style="color:#000; background-color:#fff;
        font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial,
        Lucida Grande, sans-serif;font-size:16px">
        <div id="yui_3_16_0_1_1436493066598_14700" dir="ltr">I believe
          there are already dynamic preprocessor template in the Snort's
          source code, just like dpx's code and i believe the problem in
          my config file. Snort seems like no recognizing the
          preprocessor generator id or whatever it is. Thanks anyway<br>
        </div>
        <div id="yui_3_16_0_1_1436493066598_12087"><span></span></div>
        <br>
      </div>
    </blockquote>
    That, and all the other problems you have encountered, are
    demonstrated by dpx.<br>
    <br>
    Good luck.<br>
    Russ<br>
    <blockquote
cite="mid:1273509764.2290005.1436494195591.JavaMail.yahoo@...3559..."
      type="cite">
      <div style="color:#000; background-color:#fff;
        font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial,
        Lucida Grande, sans-serif;font-size:16px">
        <div class="qtdSeparateBR"><br>
          <br>
        </div>
        <div style="display: block;" class="yahoo_quoted">
          <div style="font-family: HelveticaNeue, Helvetica Neue,
            Helvetica, Arial, Lucida Grande, sans-serif; font-size:
            16px;">
            <div style="font-family: HelveticaNeue, Helvetica Neue,
              Helvetica, Arial, Lucida Grande, sans-serif; font-size:
              16px;">
              <div dir="ltr"> <font size="2" face="Arial"> On Friday,
                  July 10, 2015 9:53 AM, Russ <a class="moz-txt-link-rfc2396E" href="mailto:rucombs@...3461..."><rucombs@...3461...></a>
                  wrote:<br>
                </font> </div>
              <br>
              <br>
              <div class="y_msg_container">
                <div id="yiv1431121940">
                  <div> Do have a Snort question?  If you need general
                    help with development, there are more suitable
                    venues like stackoverflow.com.  We really don't have
                    the bandwidth to walk you through your project step
                    by step.  However, if you take the time to build and
                    step through the dynamic preprocessor example (<a
                      moz-do-not-send="true" rel="nofollow" shape="rect"
                      class="yiv1431121940moz-txt-link-freetext"
                      target="_blank"
                      href="https://www.snort.org/documents/dpx-readme">https://www.snort.org/documents/dpx-readme</a>),
                    you will see an event generated in a much simpler
                    piece of code than ssh.  If dpx gives you trouble,
                    let us know.<br clear="none">
                    <br clear="none">
                    Russ<br clear="none">
                    <br clear="none">
                    <div class="yiv1431121940yqt5794329465"
                      id="yiv1431121940yqt56276">
                      <div class="yiv1431121940moz-cite-prefix">On
                        7/9/15 9:24 PM, Big Whale wrote:<br clear="none">
                      </div>
                      <blockquote type="cite"> </blockquote>
                    </div>
                  </div>
                  <div class="yiv1431121940yqt5794329465"
                    id="yiv1431121940yqt72688">
                    <div>
                      <div
                        style="color:#000;background-color:#fff;font-family:HelveticaNeue,
                        Helvetica Neue, Helvetica, Arial, Lucida Grande,
                        sans-serif;font-size:16px;">
                        <div id="yiv1431121940">
                          <div
                            id="yiv1431121940yui_3_16_0_1_1436420134447_60027">
                            <div
                              id="yiv1431121940yui_3_16_0_1_1436420134447_60026"
                              style="color:#000;background-color:#fff;font-family:HelveticaNeue,
                              Helvetica Neue, Helvetica, Arial, Lucida
                              Grande, sans-serif;font-size:16px;">Are
                              you sure? It worked in my machine. Well if
                              it's bothering you, you can just commented
                              out that function as it is useless for
                              now.<br clear="none">
                              <div
                                id="yiv1431121940yui_3_16_0_1_1436420134447_54143"><span></span></div>
                              <br clear="none">
                              <div class="yiv1431121940qtdSeparateBR"
                                id="yiv1431121940yui_3_16_0_1_1436420134447_60028"><br
                                  clear="none">
                                <br clear="none">
                              </div>
                            </div>
                          </div>
                        </div>
                        <div>
                          <div style="font-family:HelveticaNeue,
                            Helvetica Neue, Helvetica, Arial, Lucida
                            Grande, sans-serif;font-size:16px;">
                            <div style="font-family:HelveticaNeue,
                              Helvetica Neue, Helvetica, Arial, Lucida
                              Grande, sans-serif;font-size:16px;">
                              <div dir="ltr"> <font size="2"
                                  face="Arial"> On Thursday, July 9,
                                  2015 10:51 PM, Hui cao <a
                                    moz-do-not-send="true"
                                    rel="nofollow" shape="rect"
                                    class="yiv1431121940moz-txt-link-rfc2396E"
                                    ymailto="mailto:huica@...3461..."
                                    target="_blank"
                                    href="mailto:huica@...3461..."><huica@...3461...></a>
                                  wrote:<br clear="none">
                                </font> </div>
                              <br clear="none">
                              <br clear="none">
                              <div class="yiv1431121940y_msg_container">
                                <div id="yiv1431121940">
                                  <div> Try to run gdb if you have the
                                    binary, and set breakpoint at
                                    ModSecProcess(), and step through.
                                    Here are steps to use gdb (<a
                                      moz-do-not-send="true"
                                      rel="nofollow" shape="rect"
                                      class="yiv1431121940moz-txt-link-freetext"
                                      target="_blank"
                                      href="http://cs.baylor.edu/%7Edonahoo/tools/gdb/tutorial.html">http://cs.baylor.edu/~donahoo/tools/gdb/tutorial.html</a>)<br
                                      clear="none">
                                    <br clear="none">
                                    FYI...your code won't compile. You
                                    have the following function defined
                                    inside function ModSecProcess(void
                                    *pkt, void *context). <br
                                      clear="none">
                                    <br clear="none">
                                    void removeSubstr(char *string, char
                                    *sub) {<br clear="none">
                                            char *match = string;<br
                                      clear="none">
                                            int len = strlen(sub);<br
                                      clear="none">
                                            while((match = strstr(match,
                                    sub))) {<br clear="none">
                                                *match = '\0';<br
                                      clear="none">
                                                strcat(string,
                                    match+len);<br clear="none">
                                                match++;<br clear="none">
                                            }<br clear="none">
                                        }<br clear="none">
                                    <br clear="none">
                                    Best,<br clear="none">
                                    Hui.<br clear="none">
                                    <div
                                      class="yiv1431121940yqt7920496597"
                                      id="yiv1431121940yqt26327">
                                      <div
                                        class="yiv1431121940moz-cite-prefix">On

                                        07/09/2015 10:41 AM, Big Whale
                                        wrote:<br clear="none">
                                      </div>
                                      <blockquote type="cite"> </blockquote>
                                    </div>
                                  </div>
                                  <div
                                    class="yiv1431121940yqt7920496597"
                                    id="yiv1431121940yqt11633">
                                    <div>
                                      <div
                                        style="color:#000;background-color:#fff;font-family:HelveticaNeue,
                                        Helvetica Neue, Helvetica,
                                        Arial, Lucida Grande,
                                        sans-serif;font-size:16px;">
                                        <div
                                          id="yiv1431121940yui_3_16_0_1_1436420134447_19044"><span
id="yiv1431121940yui_3_16_0_1_1436420134447_22608">The preprocessor can
                                            be loaded but in
                                            ModSecProcess() function,
                                            the preprocessor supposed to
                                            output the alert if the
                                            packet matched port 80. But
                                            it does not works, so i
                                            thought the problem could be
                                            the preprocessor rules. I
                                            already tried config
                                            autogenerate_preprocessor_decoder_rules
                                            in snort.conf and define the
                                            preprocessor alert generator
                                            id in the
                                            preprocessor_rules. Yet
                                            everything does not seems to
                                            work like it supposed to. I
                                            am building my preprocessor
                                            based on SSH preprocessor.
                                            Why don't you try compile
                                            and run it locally so you
                                            can experience what kind of
                                            problem it is.</span></div>
                                        <br clear="none">
                                        <div
                                          class="yiv1431121940qtdSeparateBR"><br
                                            clear="none">
                                          <br clear="none">
                                        </div>
                                        <div
                                          class="yiv1431121940yahoo_quoted"
                                          style="display:block;">
                                          <div
                                            style="font-family:HelveticaNeue,
                                            Helvetica Neue, Helvetica,
                                            Arial, Lucida Grande,
                                            sans-serif;font-size:16px;">
                                            <div
                                              style="font-family:HelveticaNeue,
                                              Helvetica Neue, Helvetica,
                                              Arial, Lucida Grande,
                                              sans-serif;font-size:16px;">
                                              <div dir="ltr"> <font
                                                  size="2" face="Arial">
                                                  On Thursday, July 9,
                                                  2015 8:56 PM, Hui cao
                                                  <a
                                                    moz-do-not-send="true"
                                                    rel="nofollow"
                                                    shape="rect"
                                                    class="yiv1431121940moz-txt-link-rfc2396E"
ymailto="mailto:huica@...3461..." target="_blank"
                                                    href="mailto:huica@...3461..."><huica@...3461...></a>
                                                  wrote:<br clear="none">
                                                </font> </div>
                                              <br clear="none">
                                              <br clear="none">
                                              <div
                                                class="yiv1431121940y_msg_container">
                                                <div id="yiv1431121940">
                                                  <div> Hi Big Whale,<br
                                                      clear="none">
                                                    <br clear="none">
                                                    Can you describe in
                                                    detail what works
                                                    and what not? Which
                                                    decoder rule? Have
                                                    you seen the rule
                                                    get triggered in
                                                    your preprocessor?
                                                    Again, SSH
                                                    preprocessor has
                                                    example how to
                                                    generate a
                                                    preprocessor alert.<br
                                                      clear="none">
                                                    <br clear="none">
                                                    Best,<br
                                                      clear="none">
                                                    Hui.<br clear="none">
                                                    <br clear="none">
                                                    <div
                                                      class="yiv1431121940yqt8020495202"
id="yiv1431121940yqt62966">
                                                      <div
                                                        class="yiv1431121940moz-cite-prefix">On


                                                        07/09/2015 12:46
                                                        AM, Big Whale
                                                        wrote:<br
                                                          clear="none">
                                                      </div>
                                                      <blockquote
                                                        type="cite"> </blockquote>
                                                    </div>
                                                  </div>
                                                  <div
                                                    class="yiv1431121940yqt8020495202"
id="yiv1431121940yqt88103">
                                                    <div>
                                                      <div
                                                        style="color:#000;background-color:#fff;font-family:HelveticaNeue,
                                                        Helvetica Neue,
                                                        Helvetica,
                                                        Arial, Lucida
                                                        Grande,
                                                        sans-serif;font-size:16px;">
                                                        <div
                                                          id="yiv1431121940yui_3_16_0_1_1436413306311_4874">I
                                                          already add
                                                          "config
                                                          autogenerate_preprocessor_decoder_rules"
                                                          in my
                                                          snort.conf
                                                          file and put
                                                          the plugin's
                                                          alerts in the
                                                          preprocessor.rules
                                                          and
                                                          gen-msg.map.
                                                          But still no
                                                          alert from my
                                                          preprocessor.
                                                          The
                                                          preprocessor
                                                          loaded
                                                          correctly.<br
                                                          clear="none">
                                                        </div>
                                                      </div>
                                                      <br clear="none">
                                                      <fieldset
                                                        class="yiv1431121940mimeAttachmentHeader"></fieldset>
                                                      <br clear="none">
                                                      <pre>------------------------------------------------------------------------------
Don't Limit Your Business. Reach for the Cloud.
GigeNET's Cloud Solutions provide you with the tools and support that
you need to offload your IT needs and focus on growing your business.
Configured For All Businesses. Start Your Cloud Today.
<a moz-do-not-send="true" rel="nofollow" shape="rect" class="yiv1431121940moz-txt-link-freetext" target="_blank" href="https://www.gigenetcloud.com/">https://www.gigenetcloud.com/</a></pre>
                                                      <br clear="none">
                                                      <fieldset
                                                        class="yiv1431121940mimeAttachmentHeader"></fieldset>
                                                      <br clear="none">
                                                      <pre>_______________________________________________
Snort-devel mailing list
<a moz-do-not-send="true" rel="nofollow" shape="rect" class="yiv1431121940moz-txt-link-abbreviated" ymailto="mailto:Snort-devel@lists.sourceforge.net" target="_blank" href="mailto:Snort-devel@lists.sourceforge.net">Snort-devel@lists.sourceforge.net</a>
<a moz-do-not-send="true" rel="nofollow" shape="rect" class="yiv1431121940moz-txt-link-freetext" target="_blank" href="https://lists.sourceforge.net/lists/listinfo/snort-devel">https://lists.sourceforge.net/lists/listinfo/snort-devel</a>
Archive:
<a moz-do-not-send="true" rel="nofollow" shape="rect" class="yiv1431121940moz-txt-link-freetext" target="_blank" href="http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel">http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel</a>

Please visit <a moz-do-not-send="true" rel="nofollow" shape="rect" class="yiv1431121940moz-txt-link-freetext" target="_blank" href="http://blog.snort.org/">http://blog.snort.org</a> for the latest news about Snort!</pre>
                                                      <br clear="none">
                                                    </div>
                                                  </div>
                                                </div>
                                                <br clear="none">
                                                <div
                                                  class="yiv1431121940yqt8020495202"
id="yiv1431121940yqt76696">------------------------------------------------------------------------------<br
                                                    clear="none">
                                                  Don't Limit Your
                                                  Business. Reach for
                                                  the Cloud.<br
                                                    clear="none">
                                                  GigeNET's Cloud
                                                  Solutions provide you
                                                  with the tools and
                                                  support that<br
                                                    clear="none">
                                                  you need to offload
                                                  your IT needs and
                                                  focus on growing your
                                                  business.<br
                                                    clear="none">
                                                  Configured For All
                                                  Businesses. Start Your
                                                  Cloud Today.<br
                                                    clear="none">
                                                  <a
                                                    moz-do-not-send="true"
                                                    rel="nofollow"
                                                    shape="rect"
                                                    target="_blank"
                                                    href="https://www.gigenetcloud.com/">https://www.gigenetcloud.com/</a></div>
                                                <br clear="none">
                                                <div
                                                  class="yiv1431121940yqt8020495202"
id="yiv1431121940yqt94197">_______________________________________________<br
                                                    clear="none">
                                                  Snort-devel mailing
                                                  list<br clear="none">
                                                  <a
                                                    moz-do-not-send="true"
                                                    rel="nofollow"
                                                    shape="rect"
                                                    ymailto="mailto:Snort-devel@lists.sourceforge.net"
                                                    target="_blank"
                                                    href="mailto:Snort-devel@lists.sourceforge.net">Snort-devel@lists.sourceforge.net</a><br
                                                    clear="none">
                                                  <a
                                                    moz-do-not-send="true"
                                                    rel="nofollow"
                                                    shape="rect"
                                                    target="_blank"
                                                    href="https://lists.sourceforge.net/lists/listinfo/snort-devel">https://lists.sourceforge.net/lists/listinfo/snort-devel</a><br
                                                    clear="none">
                                                  Archive:<br
                                                    clear="none">
                                                  <a
                                                    moz-do-not-send="true"
                                                    rel="nofollow"
                                                    shape="rect"
                                                    target="_blank"
href="http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel">http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel</a><br
                                                    clear="none">
                                                  <br clear="none">
                                                  Please visit <a
                                                    moz-do-not-send="true"
                                                    rel="nofollow"
                                                    shape="rect"
                                                    target="_blank"
                                                    href="http://blog.snort.org/">http://blog.snort.org


                                                  </a>for the latest
                                                  news about Snort!</div>
                                                <br clear="none">
                                                <br clear="none">
                                              </div>
                                            </div>
                                          </div>
                                        </div>
                                      </div>
                                      <br clear="none">
                                    </div>
                                  </div>
                                </div>
                                <br clear="none">
                                <br clear="none">
                              </div>
                            </div>
                          </div>
                        </div>
                      </div>
                      <br clear="none">
                      <fieldset
                        class="yiv1431121940mimeAttachmentHeader"></fieldset>
                      <br clear="none">
                      <pre>------------------------------------------------------------------------------
Don't Limit Your Business. Reach for the Cloud.
GigeNET's Cloud Solutions provide you with the tools and support that
you need to offload your IT needs and focus on growing your business.
Configured For All Businesses. Start Your Cloud Today.
<a moz-do-not-send="true" rel="nofollow" shape="rect" class="yiv1431121940moz-txt-link-freetext" target="_blank" href="https://www.gigenetcloud.com/">https://www.gigenetcloud.com/</a></pre>
                      <br clear="none">
                      <fieldset
                        class="yiv1431121940mimeAttachmentHeader"></fieldset>
                      <br clear="none">
                      <pre>_______________________________________________
Snort-devel mailing list
<a moz-do-not-send="true" rel="nofollow" shape="rect" class="yiv1431121940moz-txt-link-abbreviated" ymailto="mailto:Snort-devel@lists.sourceforge.net" target="_blank" href="mailto:Snort-devel@lists.sourceforge.net">Snort-devel@lists.sourceforge.net</a>
<a moz-do-not-send="true" rel="nofollow" shape="rect" class="yiv1431121940moz-txt-link-freetext" target="_blank" href="https://lists.sourceforge.net/lists/listinfo/snort-devel">https://lists.sourceforge.net/lists/listinfo/snort-devel</a>
Archive:
<a moz-do-not-send="true" rel="nofollow" shape="rect" class="yiv1431121940moz-txt-link-freetext" target="_blank" href="http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel">http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel</a>

Please visit <a moz-do-not-send="true" rel="nofollow" shape="rect" class="yiv1431121940moz-txt-link-freetext" target="_blank" href="http://blog.snort.org/">http://blog.snort.org</a> for the latest news about Snort!</pre>
                      <br clear="none">
                    </div>
                  </div>
                </div>
                <br>
                <br>
              </div>
            </div>
          </div>
        </div>
      </div>
    </blockquote>
    <br>
  </body>
</html>