Snort mailing list archives
Re: [Snort devel] Storing Packet data
From: Russ Combs <rcombs () sourcefire com>
Date: Wed, 17 Mar 2010 12:56:28 -0400
p->payload is the start of payload data; p->payload + p->payload_size is one byte past the end. Any conversion will depend on your application. You will have ascii for typical IP based ascii protocols. Hope that helps. Russ On Wed, Mar 17, 2010 at 12:29 PM, Dirk Maarten van Duijn < dirkmaarten () gmail com> wrote:
Good day, I am new to mailing boards in general so I hope I stick to the unwritten rules, if not I'm sorry. Also English isn't my native language so some sentences got some issues :) I am working on a dynamic preprocessor for Snort and I am running into some problems. The idea behind the preprocessor is that it saves a specific amount of kilobytes from a download as data, hashes that data and compares the hash to an internal whitelist. The general idea is working, the saving; hashing and comparing. I tested this locally by implementing a stub and it seems to work like it should. Now when I use the preprocessor like how you should use a preprocessor, using it in combination with an Internet connection, it isn't working. The preprocessor gets the packets, all is well expect the fact that the payload of the packet doesn't make sense. It doesn't make sense in the way that the payload is empty most of the time while it shouldn't be empty. I know it isn't empty by comparing the received packets with a packet sniffer, the field matches (seq,ack etc etc) but not the payload. The received packets are checked with GDB. However, the payload size seems to be set correctly. I thought I was able to get the payload by getting the memory from p->payload + p->payloadsize. So my actual question is this: How do I get the payload of a packet? And when I got that data how do I convert it to ASCII if possible? Is there some flag I need to set somewhere to receive the data? I changed the order of preprocessors. I changed the priority from application to scanner and all other flags really. I tried all kind of weird ways to access the memory (I'm not very skilled with C). I examined the code of the other preprocessors and they just seem to access the payload data as they are pleased. I hope I included enough information and otherwise: Thanks for reading this far Greetings, Dirk ------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel
------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev
_______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel
Current thread:
- [Snort devel] Storing Packet data Dirk Maarten van Duijn (Mar 17)
- Re: [Snort devel] Storing Packet data Russ Combs (Mar 17)