Snort mailing list archives
Re: [PATCH] Add non-IP layer 3 detection via new 'ether_type' keyword and 'eth' protocol
From: Joshua Kinard <kumba () gentoo org>
Date: Mon, 26 Dec 2011 19:06:35 -0500
With the release of snort-2.9.2 final, I rebased my work for the ether_type rule option. Some of the data types changed which required it. In addition, I added the bit of code to DecodeIEEE80211Pkt to make it work with ether_type (no time to fix the mess w/ LLC/SNAP frame decoding right now), and I added documentation to the snort manual for the new option and tested it once I got the TeX tools setup and working. Attached patch only modifies the snort_manual.tex file, so the PDF would need to be regenerated in an upcoming release if this is accepted. And lets not forget the hyperlinks in the manual next time :) Changes: doc/snort_manual.tex | 105 ++++++ src/decode.c | 120 +++++++ src/decode.h | 27 + src/detect.c | 42 +- src/detection-plugins/Makefile.am | 3 src/detection-plugins/Makefile.in | 8 src/detection-plugins/detection_options.c | 14 src/detection-plugins/sp_ether_type.c | 361 ++++++++++++++++++++++++ src/detection-plugins/sp_ether_type.h | 125 ++++++++ src/dynamic-plugins/sf_engine/sf_snort_packet.h | 3 src/fpcreate.c | 252 +++++++++++++--- src/fpcreate.h | 7 src/fpdetect.c | 241 ++++++++++------ src/fpdetect.h | 12 src/parser.c | 183 ++++++++---- src/plugbase.c | 2 src/plugin_enum.h | 1 src/rule_option_types.h | 3 src/sfutil/sfportobject.h | 7 src/snort.c | 14 src/snort.h | 4 21 files changed, 1313 insertions(+), 221 deletions(-) Cheers! -- Joshua Kinard Gentoo/MIPS kumba () gentoo org 4096R/D25D95E3 2011-03-28 "The past tempts us, the present confuses us, the future frightens us. And our lives slip away, moment by moment, lost in that vast, terrible in-between." --Emperor Turhan, Centauri Republic
Attachment:
snort-2.9.2-ether_type-support.patch
Description:
------------------------------------------------------------------------------ Write once. Port to many. Get the SDK and tools to simplify cross-platform app development. Create new or port existing apps to sell to consumers worldwide. Explore the Intel AppUpSM program developer opportunity. appdeveloper.intel.com/join http://p.sf.net/sfu/intel-appdev
_______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- [PATCH] Add non-IP layer 3 detection via new 'ether_type' keyword and 'eth' protocol Joshua Kinard (Nov 13)
- Re: [PATCH] Add non-IP layer 3 detection via new 'ether_type' keyword and 'eth' protocol Joshua Kinard (Nov 20)
- Re: [PATCH] Add non-IP layer 3 detection via new 'ether_type' keyword and 'eth' protocol Joshua Kinard (Dec 26)