<html>
  <head>
    <meta content="text/html; charset=utf-8" http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    Try to run gdb if you have the binary, and set breakpoint at
    ModSecProcess(), and step through. Here are steps to use gdb
    (<a class="moz-txt-link-freetext" href="http://cs.baylor.edu/~donahoo/tools/gdb/tutorial.html">http://cs.baylor.edu/~donahoo/tools/gdb/tutorial.html</a>)<br>
    <br>
    FYI...your code won't compile. You have the following function
    defined inside function ModSecProcess(void *pkt, void *context). <br>
    <br>
    void removeSubstr(char *string, char *sub) {<br>
            char *match = string;<br>
            int len = strlen(sub);<br>
            while((match = strstr(match, sub))) {<br>
                *match = '\0';<br>
                strcat(string, match+len);<br>
                match++;<br>
            }<br>
        }<br>
    <br>
    Best,<br>
    Hui.<br>
    <div class="moz-cite-prefix">On 07/09/2015 10:41 AM, Big Whale
      wrote:<br>
    </div>
    <blockquote
      cite="mid:839088066.1873011.1436452862519.JavaMail.yahoo@...3559..."
      type="cite">
      <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
      <div style="color:#000; background-color:#fff;
        font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial,
        Lucida Grande, sans-serif;font-size:16px">
        <div id="yui_3_16_0_1_1436420134447_19044"><span
            id="yui_3_16_0_1_1436420134447_22608">The preprocessor can
            be loaded but in ModSecProcess() function, the preprocessor
            supposed to output the alert if the packet matched port 80.
            But it does not works, so i thought the problem could be the
            preprocessor rules. I already tried config
            autogenerate_preprocessor_decoder_rules in snort.conf and
            define the preprocessor alert generator id in the
            preprocessor_rules. Yet everything does not seems to work
            like it supposed to. I am building my preprocessor based on
            SSH preprocessor. Why don't you try compile and run it
            locally so you can experience what kind of problem it is.</span></div>
        <br>
        <div class="qtdSeparateBR"><br>
          <br>
        </div>
        <div style="display: block;" class="yahoo_quoted">
          <div style="font-family: HelveticaNeue, Helvetica Neue,
            Helvetica, Arial, Lucida Grande, sans-serif; font-size:
            16px;">
            <div style="font-family: HelveticaNeue, Helvetica Neue,
              Helvetica, Arial, Lucida Grande, sans-serif; font-size:
              16px;">
              <div dir="ltr"> <font size="2" face="Arial"> On Thursday,
                  July 9, 2015 8:56 PM, Hui cao <a class="moz-txt-link-rfc2396E" href="mailto:huica@...3461..."><huica@...3461...></a>
                  wrote:<br>
                </font> </div>
              <br>
              <br>
              <div class="y_msg_container">
                <div id="yiv0868062382">
                  <div> Hi Big Whale,<br clear="none">
                    <br clear="none">
                    Can you describe in detail what works and what not?
                    Which decoder rule? Have you seen the rule get
                    triggered in your preprocessor? Again, SSH
                    preprocessor has example how to generate a
                    preprocessor alert.<br clear="none">
                    <br clear="none">
                    Best,<br clear="none">
                    Hui.<br clear="none">
                    <br clear="none">
                    <div class="yiv0868062382yqt8020495202"
                      id="yiv0868062382yqt62966">
                      <div class="yiv0868062382moz-cite-prefix">On
                        07/09/2015 12:46 AM, Big Whale wrote:<br
                          clear="none">
                      </div>
                      <blockquote type="cite"> </blockquote>
                    </div>
                  </div>
                  <div class="yiv0868062382yqt8020495202"
                    id="yiv0868062382yqt88103">
                    <div>
                      <div
                        style="color:#000;background-color:#fff;font-family:HelveticaNeue,
                        Helvetica Neue, Helvetica, Arial, Lucida Grande,
                        sans-serif;font-size:16px;">
                        <div
                          id="yiv0868062382yui_3_16_0_1_1436413306311_4874">I
                          already add "config
                          autogenerate_preprocessor_decoder_rules" in my
                          snort.conf file and put the plugin's alerts in
                          the preprocessor.rules and gen-msg.map. But
                          still no alert from my preprocessor. The
                          preprocessor loaded correctly.<br clear="none">
                        </div>
                      </div>
                      <br clear="none">
                      <fieldset
                        class="yiv0868062382mimeAttachmentHeader"></fieldset>
                      <br clear="none">
                      <pre>------------------------------------------------------------------------------
Don't Limit Your Business. Reach for the Cloud.
GigeNET's Cloud Solutions provide you with the tools and support that
you need to offload your IT needs and focus on growing your business.
Configured For All Businesses. Start Your Cloud Today.
<a moz-do-not-send="true" rel="nofollow" shape="rect" class="yiv0868062382moz-txt-link-freetext" target="_blank" href="https://www.gigenetcloud.com/">https://www.gigenetcloud.com/</a></pre>
                      <br clear="none">
                      <fieldset
                        class="yiv0868062382mimeAttachmentHeader"></fieldset>
                      <br clear="none">
                      <pre>_______________________________________________
Snort-devel mailing list
<a moz-do-not-send="true" rel="nofollow" shape="rect" class="yiv0868062382moz-txt-link-abbreviated" ymailto="mailto:Snort-devel@lists.sourceforge.net" target="_blank" href="mailto:Snort-devel@lists.sourceforge.net">Snort-devel@lists.sourceforge.net</a>
<a moz-do-not-send="true" rel="nofollow" shape="rect" class="yiv0868062382moz-txt-link-freetext" target="_blank" href="https://lists.sourceforge.net/lists/listinfo/snort-devel">https://lists.sourceforge.net/lists/listinfo/snort-devel</a>
Archive:
<a moz-do-not-send="true" rel="nofollow" shape="rect" class="yiv0868062382moz-txt-link-freetext" target="_blank" href="http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel">http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel</a>

Please visit <a moz-do-not-send="true" rel="nofollow" shape="rect" class="yiv0868062382moz-txt-link-freetext" target="_blank" href="http://blog.snort.org/">http://blog.snort.org</a> for the latest news about Snort!</pre>
                      <br clear="none">
                    </div>
                  </div>
                </div>
                <br>
                <div class="yqt8020495202" id="yqt76696">------------------------------------------------------------------------------<br
                    clear="none">
                  Don't Limit Your Business. Reach for the Cloud.<br
                    clear="none">
                  GigeNET's Cloud Solutions provide you with the tools
                  and support that<br clear="none">
                  you need to offload your IT needs and focus on growing
                  your business.<br clear="none">
                  Configured For All Businesses. Start Your Cloud Today.<br
                    clear="none">
                  <a moz-do-not-send="true" shape="rect"
                    href="https://www.gigenetcloud.com/" target="_blank">https://www.gigenetcloud.com/</a></div>
                <br>
                <div class="yqt8020495202" id="yqt94197">_______________________________________________<br
                    clear="none">
                  Snort-devel mailing list<br clear="none">
                  <a moz-do-not-send="true" shape="rect"
                    ymailto="mailto:Snort-devel@lists.sourceforge.net"
                    href="mailto:Snort-devel@lists.sourceforge.net">Snort-devel@lists.sourceforge.net</a><br
                    clear="none">
                  <a moz-do-not-send="true" shape="rect"
                    href="https://lists.sourceforge.net/lists/listinfo/snort-devel"
                    target="_blank">https://lists.sourceforge.net/lists/listinfo/snort-devel</a><br
                    clear="none">
                  Archive:<br clear="none">
                  <a moz-do-not-send="true" shape="rect"
href="http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel"
                    target="_blank">http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel</a><br
                    clear="none">
                  <br clear="none">
                  Please visit <a moz-do-not-send="true" shape="rect"
                    href="http://blog.snort.org/" target="_blank">http://blog.snort.org
                  </a>for the latest news about Snort!</div>
                <br>
                <br>
              </div>
            </div>
          </div>
        </div>
      </div>
    </blockquote>
    <br>
  </body>
</html>