[Snort-users] Dynamic Preprocessor- packets from established flows

Alex Adamos alexthakidadam at ...125...
Thu Jan 31 14:28:00 EST 2013




> Date: Thu, 31 Jan 2013 14:22:55 -0500
> Subject: Re: [Snort-users] Dynamic Preprocessor- packets from established flows
> From: twease at ...1935...
> To: alexthakidadam at ...125...
> CC: snort-users at lists.sourceforge.net
> 
> On Thu, Jan 31, 2013 at 2:04 PM, Alex Adamos <alexthakidadam at ...125...> wrote:
> >
> >
> >> Date: Wed, 30 Jan 2013 09:33:35 -0500
> >> Subject: Re: [Snort-users] Dynamic Preprocessor- packets from established
> >> flows
> >> From: twease at ...1935...
> >> To: alexthakidadam at ...125...
> >> CC: snort-users at lists.sourceforge.net
> >
> >>
> >> Hi Alex,
> >>
> >> On Tue, Jan 29, 2013 at 3:01 PM, Alex Adamos <alexthakidadam at ...125...>
> >> wrote:
> >> > Hi,
> >> >
> >> > i managed to get my own preprocessor running (using DPX starter kit). I
> >> > would like to know when a packet gets called by my preprocessor, whether
> >> > it's from an established flow or not. Can anyone help me how to do this?
> >>
> >> Your preprocessor will be called in src/detect.c:Preprocess(). It
> >> will get called for any TCP/UDP packet with application data, raw off
> >> the wire, IP frag reassembled (via frag3) or TCP reassembled (via
> >> stream5).
> >
> > In my case, i want to keep track of the tcp flows and keep state of the past
> > connections-flows, so when the preproc gets called, i "save" the
> > srcIP,dstIP,srcPort,dstPort for every tcp packet. I dont want to process any
> > reassembled packets so i did something like this:
> >   "  if(p->tcp_header){
> >         if (p->pseudo_packet){
> >              return;}
> >         else
> >              GetIPandPorts();
> >     return; }"
> > However, my preproc functions returns at the (p->pseudo_packet) every time.
> > What is the right way to process only the raw tcp packets (not the
> > reassembled ones)?
> 
> Instead of "p->pseudo_packet" (did you mean p->pseudo_type?), you
> could try something like:
> 
yes, my fault, i intended writing pseudo_type..
> if (p->flags & FLAG_REBUILT_STREAM)
>    return;
>This isn't referring to the whole stream?thanks, i'll try that!  
ps.sorry for my bad english..
> >
> >>
> >> >
> >> > Also, i have a counter to the packets being processed by my DPX, and i
> >> > see a
> >> > significant difference with the other preprocessors. It's like my DPX
> >> > doesn't get called for every packet.
> >> > I add my preprocessor like this :
> >> >
> >> > _dpd.addPreproc(DPX_Process,
> >> > PRIORITY_LAST,PP_DPX,PROTO_BIT__TCP|PROTO_BIT__UDP);
> >>
> >> This looks correct, however you've given it PRIORITY_LAST which means
> >> most of the other preprocessors are going to run before yours and
> >> there are some that will disable other preprocessors if they decided
> >> to do inspection which may be why your preprocessor isn't being called
> >> as often as you would think. For example if http_inspect evaluates a
> >> packet, it's likely HTTP, and the other application layer
> >> preprocessors don't need to look at it. If you want your preprocessor
> >> to run regardless, you could give it a higher priority, specifically
> >> higher than PRIORITY_APPLICATION, or look for DisableDetect(),
> >> disableDetect(), DisableAllDetect() and disableAllDetect() in the code
> >> - you'll likely see that when these are called, some other
> >> preprocessors are re-enabled and you could add a similar line for your
> >> preprocessor.
> >>
> >
> > thanks, changed it to PRIORITY_TRANSPORT and realised the difference!
> >> >
> >> > thanks,
> >> > Alex.
 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130131/3588a513/attachment.html>


More information about the Snort-users mailing list