[Snort-users] Dynamic Preprocessor- packets from established flows

Alex Adamos alexthakidadam at ...125...
Thu Jan 31 14:04:23 EST 2013




> Date: Wed, 30 Jan 2013 09:33:35 -0500
> Subject: Re: [Snort-users] Dynamic Preprocessor- packets from established flows
> From: twease at ...1935...
> To: alexthakidadam at ...125...
> CC: snort-users at lists.sourceforge.net
> 
> Hi Alex,
> 
> On Tue, Jan 29, 2013 at 3:01 PM, Alex Adamos <alexthakidadam at ...125...> wrote:
> > Hi,
> >
> > i managed to get my own preprocessor running (using DPX starter kit). I
> > would like to know when a packet gets called by my preprocessor, whether
> > it's from an established flow or not. Can anyone help me how to do this?
> 
> Your preprocessor will be called in src/detect.c:Preprocess().  It
> will get called for any TCP/UDP packet with application data, raw off
> the wire, IP frag reassembled (via frag3) or TCP reassembled (via
> stream5).
In my case, i want to keep track of the tcp flows and keep state of the past connections-flows, so when the preproc gets called, i "save" the srcIP,dstIP,srcPort,dstPort for every tcp packet. I dont want to process any reassembled packets so i did something like this:  "  if(p->tcp_header){        if (p->pseudo_packet){             return;}        else             GetIPandPorts();    return; }"However, my preproc functions returns at the (p->pseudo_packet) every time. What is the right way to process only the raw tcp packets (not the reassembled ones)?
> 
> >
> > Also, i have a counter to the packets being processed by my DPX, and i see a
> > significant difference with the other preprocessors. It's like my DPX
> > doesn't get called for every packet.
> > I add my preprocessor like this :
> >
> > _dpd.addPreproc(DPX_Process,
> > PRIORITY_LAST,PP_DPX,PROTO_BIT__TCP|PROTO_BIT__UDP);
> 
> This looks correct, however you've given it PRIORITY_LAST which means
> most of the other preprocessors are going to run before yours and
> there are some that will disable other preprocessors if they decided
> to do inspection which may be why your preprocessor isn't being called
> as often as you would think.  For example if http_inspect evaluates a
> packet, it's likely HTTP, and the other application layer
> preprocessors don't need to look at it.  If you want your preprocessor
> to run regardless, you could give it a higher priority, specifically
> higher than PRIORITY_APPLICATION, or look for DisableDetect(),
> disableDetect(), DisableAllDetect() and disableAllDetect() in the code
> - you'll likely see that when these are called, some other
> preprocessors are re-enabled and you could add a similar line for your
> preprocessor.
> 
thanks, changed it to PRIORITY_TRANSPORT and realised the difference!
> >
> > thanks,
> > Alex.
 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130131/34964a71/attachment.html>


More information about the Snort-users mailing list