[Snort-users] Cannot get alert from dynamic_example preprocessor in output

Андрей Меньков nothingelsematters7 at ...11827...
Tue Feb 19 15:09:53 EST 2013


I have installed latest snort version from site sources. I have Linux Mint
14 Nadia as my OS.
I need to write a dynamic processor, so I use dynamic_example preprocessor
that is in tarball with Snort.
It's the code https://gist.github.com/AndreiMenkou/4989418

I have a problem with outputting alerts and I don't know how to solve it.
My dynamic preprocessor is loaded when snort is run. And ExampleProcess
function that is used to process Snort packets is called.
The problem actually is in alertAdd function call:

_dpd.alertAdd(GENERATOR_EXAMPLE, SRC_PORT_MATCH, 1, 0, 3,
SRC_PORT_MATCH_STR, 0);

I'm sure that it's called but no alerts are generated
I have added output to file (using FILE* of <stdio.h>) before call to
alertAdd function - and it works.
So the problem is actually with alertAdd itself

I thought that this problem will be solved after configuring output
modules, but this didn't helped.
I have added my custom rule in local.rules and alerts are generated
and wroten to expected file. But for _dpd.alertAdd there is nothing
:-(

How can I solve this problem? Any help would be appreciated

My conf file for output modules look like :

# unified2
# Recommended for most installs
output unified2: filename merged.log, limit 128, nostamp,
mpls_event_types, vlan_event_types

# Additional configuration for specific types of installs
output alert_unified2: filename snort.alert, limit 128, nostamp
output log_unified2: filename snort.log, limit 128, nostamp

# syslog
output alert_syslog: LOG_AUTH LOG_ALERT

#alert fast
output alert_fast: alert.fast

# pcap
# output log_tcpdump: tcpdump.log

# metadata reference data.  do not modify these lines
include classification.config
include reference.config


Full snort.conf file : https://gist.github.com/AndreiMenkou/4989412

Config for dynamic_example preprocessor:

preprocessor dynamic_example: port 80

Snort is running using command :
sudo snort -i wlan0 -c Projects/snort/etc/snort.conf -l ./log/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130219/8bae8816/attachment.html>


More information about the Snort-users mailing list