[Snort-users] Cannot get alert from dynamic_example preprocessor in output

Андрей Меньков nothingelsematters7 at ...11827...
Wed Feb 20 01:02:33 EST 2013


I've already found a link about preprocessor rules )
http://manual.snort.org/node197.html
Didn't look to it before because of too long "Configuration Snort" topic


On 20 February 2013 08:59, Андрей Меньков <nothingelsematters7 at ...11827...>wrote:

> Great, it helped. Thank you very much, Victor.
> I have another little question about how could I get to know about
> preprocessor rules?
> Could you please point me to documentation place about them?
>
> I have used this tutorial for building my preprocessor
> http://www.sans.org/reading_room/whitepapers/tools/developing-snort-dynamic-preprocessor_32874 .
> There is nothing in it about preprocessor rules. They use dynamic_example
> from Snort sources too. May be the cause is that this tutorial is out-dated?
>
>
> On 20 February 2013 00:16, Victor Roemer <vroemer at ...1935...> wrote:
>
>> I don't see where you actually enabled a preprocessor rule in your
>> configuration..
>>
>> Should look something like this...
>>
>> alert (msg:"Just lookn at dem source ports!"; sid:1; gid:256; rev:1;
>> metadata:rule-type preproc;)
>>
>>
>> Altering msg to your liking..
>>
>> On Tue, Feb 19, 2013 at 3:09 PM, Андрей Меньков <
>> nothingelsematters7 at ...11827...> wrote:
>>
>>> I have installed latest snort version from site sources. I have Linux
>>> Mint 14 Nadia as my OS.
>>> I need to write a dynamic processor, so I use dynamic_example
>>> preprocessor that is in tarball with Snort.
>>> It's the code https://gist.github.com/AndreiMenkou/4989418
>>>
>>> I have a problem with outputting alerts and I don't know how to solve it.
>>> My dynamic preprocessor is loaded when snort is run. And ExampleProcess
>>> function that is used to process Snort packets is called.
>>> The problem actually is in alertAdd function call:
>>>
>>> _dpd.alertAdd(GENERATOR_EXAMPLE, SRC_PORT_MATCH, 1, 0, 3, SRC_PORT_MATCH_STR, 0);
>>>
>>>
>>>
>>>
>>>
>>> I'm sure that it's called but no alerts are generated
>>> I have added output to file (using FILE* of <stdio.h>) before call to alertAdd function - and it works.
>>>
>>>
>>> So the problem is actually with alertAdd itself
>>>
>>> I thought that this problem will be solved after configuring output modules, but this didn't helped.
>>>
>>>
>>> I have added my custom rule in local.rules and alerts are generated and wroten to expected file. But for _dpd.alertAdd there is nothing :-(
>>>
>>>
>>>
>>>
>>>
>>>
>>> How can I solve this problem? Any help would be appreciated
>>>
>>> My conf file for output modules look like :
>>>
>>> # unified2
>>> # Recommended for most installs
>>> output unified2: filename merged.log, limit 128, nostamp, mpls_event_types, vlan_event_types
>>>
>>> # Additional configuration for specific types of installs
>>> output alert_unified2: filename snort.alert, limit 128, nostamp
>>> output log_unified2: filename snort.log, limit 128, nostamp
>>>
>>> # syslog
>>> output alert_syslog: LOG_AUTH LOG_ALERT
>>>
>>> #alert fast
>>> output alert_fast: alert.fast
>>>
>>> # pcap
>>> # output log_tcpdump: tcpdump.log
>>>
>>> # metadata reference data.  do not modify these lines
>>> include classification.config
>>> include reference.config
>>>
>>>
>>>
>>>
>>> Full snort.conf file : https://gist.github.com/AndreiMenkou/4989412
>>>
>>>
>>>
>>>
>>>
>>>
>>> Config for dynamic_example preprocessor:
>>>
>>>
>>>
>>>
>>> preprocessor dynamic_example: port 80
>>>
>>>
>>>
>>>
>>> Snort is running using command :
>>> sudo snort -i wlan0 -c Projects/snort/etc/snort.conf -l ./log/
>>>
>>>
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> Everyone hates slow websites. So do we.
>>> Make your web apps faster with AppDynamics
>>> Download AppDynamics Lite for free today:
>>> http://p.sf.net/sfu/appdyn_d2d_feb
>>> _______________________________________________
>>> Snort-users mailing list
>>> Snort-users at lists.sourceforge.net
>>> Go to this URL to change user options or unsubscribe:
>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>> Snort-users list archive:
>>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>>
>>> Please visit http://blog.snort.org to stay current on all the latest
>>> Snort news!
>>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130220/50ec6ee0/attachment.html>


More information about the Snort-users mailing list