[Snort-users] Dynamic Preprocessor- packets from established flows

Todd Wease twease at ...1935...
Thu Jan 31 14:22:55 EST 2013


On Thu, Jan 31, 2013 at 2:04 PM, Alex Adamos <alexthakidadam at ...125...> wrote:
>
>
>> Date: Wed, 30 Jan 2013 09:33:35 -0500
>> Subject: Re: [Snort-users] Dynamic Preprocessor- packets from established
>> flows
>> From: twease at ...1935...
>> To: alexthakidadam at ...125...
>> CC: snort-users at lists.sourceforge.net
>
>>
>> Hi Alex,
>>
>> On Tue, Jan 29, 2013 at 3:01 PM, Alex Adamos <alexthakidadam at ...125...>
>> wrote:
>> > Hi,
>> >
>> > i managed to get my own preprocessor running (using DPX starter kit). I
>> > would like to know when a packet gets called by my preprocessor, whether
>> > it's from an established flow or not. Can anyone help me how to do this?
>>
>> Your preprocessor will be called in src/detect.c:Preprocess(). It
>> will get called for any TCP/UDP packet with application data, raw off
>> the wire, IP frag reassembled (via frag3) or TCP reassembled (via
>> stream5).
>
> In my case, i want to keep track of the tcp flows and keep state of the past
> connections-flows, so when the preproc gets called, i "save" the
> srcIP,dstIP,srcPort,dstPort for every tcp packet. I dont want to process any
> reassembled packets so i did something like this:
>   "  if(p->tcp_header){
>         if (p->pseudo_packet){
>              return;}
>         else
>              GetIPandPorts();
>     return; }"
> However, my preproc functions returns at the (p->pseudo_packet) every time.
> What is the right way to process only the raw tcp packets (not the
> reassembled ones)?

Instead of "p->pseudo_packet" (did you mean p->pseudo_type?), you
could try something like:

if (p->flags & FLAG_REBUILT_STREAM)
   return;

>
>>
>> >
>> > Also, i have a counter to the packets being processed by my DPX, and i
>> > see a
>> > significant difference with the other preprocessors. It's like my DPX
>> > doesn't get called for every packet.
>> > I add my preprocessor like this :
>> >
>> > _dpd.addPreproc(DPX_Process,
>> > PRIORITY_LAST,PP_DPX,PROTO_BIT__TCP|PROTO_BIT__UDP);
>>
>> This looks correct, however you've given it PRIORITY_LAST which means
>> most of the other preprocessors are going to run before yours and
>> there are some that will disable other preprocessors if they decided
>> to do inspection which may be why your preprocessor isn't being called
>> as often as you would think. For example if http_inspect evaluates a
>> packet, it's likely HTTP, and the other application layer
>> preprocessors don't need to look at it. If you want your preprocessor
>> to run regardless, you could give it a higher priority, specifically
>> higher than PRIORITY_APPLICATION, or look for DisableDetect(),
>> disableDetect(), DisableAllDetect() and disableAllDetect() in the code
>> - you'll likely see that when these are called, some other
>> preprocessors are re-enabled and you could add a similar line for your
>> preprocessor.
>>
>
> thanks, changed it to PRIORITY_TRANSPORT and realised the difference!
>> >
>> > thanks,
>> > Alex.




More information about the Snort-users mailing list