[Snort-users] Cannot get alert from dynamic_example preprocessor in output

Андрей Меньков nothingelsematters7 at ...11827...
Wed Feb 20 00:59:08 EST 2013


Great, it helped. Thank you very much, Victor.
I have another little question about how could I get to know about
preprocessor rules?
Could you please point me to documentation place about them?

I have used this tutorial for building my preprocessor
http://www.sans.org/reading_room/whitepapers/tools/developing-snort-dynamic-preprocessor_32874
.
There is nothing in it about preprocessor rules. They use dynamic_example
from Snort sources too. May be the cause is that this tutorial is out-dated?


On 20 February 2013 00:16, Victor Roemer <vroemer at ...1935...> wrote:

> I don't see where you actually enabled a preprocessor rule in your
> configuration..
>
> Should look something like this...
>
> alert (msg:"Just lookn at dem source ports!"; sid:1; gid:256; rev:1;
> metadata:rule-type preproc;)
>
>
> Altering msg to your liking..
>
> On Tue, Feb 19, 2013 at 3:09 PM, Андрей Меньков <
> nothingelsematters7 at ...11827...> wrote:
>
>> I have installed latest snort version from site sources. I have Linux
>> Mint 14 Nadia as my OS.
>> I need to write a dynamic processor, so I use dynamic_example
>> preprocessor that is in tarball with Snort.
>> It's the code https://gist.github.com/AndreiMenkou/4989418
>>
>> I have a problem with outputting alerts and I don't know how to solve it.
>> My dynamic preprocessor is loaded when snort is run. And ExampleProcess
>> function that is used to process Snort packets is called.
>> The problem actually is in alertAdd function call:
>>
>> _dpd.alertAdd(GENERATOR_EXAMPLE, SRC_PORT_MATCH, 1, 0, 3, SRC_PORT_MATCH_STR, 0);
>>
>>
>>
>> I'm sure that it's called but no alerts are generated
>> I have added output to file (using FILE* of <stdio.h>) before call to alertAdd function - and it works.
>>
>> So the problem is actually with alertAdd itself
>>
>> I thought that this problem will be solved after configuring output modules, but this didn't helped.
>>
>> I have added my custom rule in local.rules and alerts are generated and wroten to expected file. But for _dpd.alertAdd there is nothing :-(
>>
>>
>>
>>
>> How can I solve this problem? Any help would be appreciated
>>
>> My conf file for output modules look like :
>>
>> # unified2
>> # Recommended for most installs
>> output unified2: filename merged.log, limit 128, nostamp, mpls_event_types, vlan_event_types
>>
>> # Additional configuration for specific types of installs
>> output alert_unified2: filename snort.alert, limit 128, nostamp
>> output log_unified2: filename snort.log, limit 128, nostamp
>>
>> # syslog
>> output alert_syslog: LOG_AUTH LOG_ALERT
>>
>> #alert fast
>> output alert_fast: alert.fast
>>
>> # pcap
>> # output log_tcpdump: tcpdump.log
>>
>> # metadata reference data.  do not modify these lines
>> include classification.config
>> include reference.config
>>
>>
>>
>> Full snort.conf file : https://gist.github.com/AndreiMenkou/4989412
>>
>>
>>
>>
>> Config for dynamic_example preprocessor:
>>
>>
>>
>> preprocessor dynamic_example: port 80
>>
>>
>>
>> Snort is running using command :
>> sudo snort -i wlan0 -c Projects/snort/etc/snort.conf -l ./log/
>>
>>
>>
>> ------------------------------------------------------------------------------
>> Everyone hates slow websites. So do we.
>> Make your web apps faster with AppDynamics
>> Download AppDynamics Lite for free today:
>> http://p.sf.net/sfu/appdyn_d2d_feb
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>
>> Please visit http://blog.snort.org to stay current on all the latest
>> Snort news!
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130220/bed239aa/attachment.html>


More information about the Snort-users mailing list