Re: Cannot get alert from dynamic_example preprocessor in output

[Victor Roemer <vroemer () sourcefire com>]

I don't see where you actually enabled a preprocessor rule in your
configuration..

Should look something like this...

alert (msg:"Just lookn at dem source ports!"; sid:1; gid:256; rev:1;
metadata:rule-type preproc;)


Altering msg to your liking..

On Tue, Feb 19, 2013 at 3:09 PM, Андрей Меньков <
nothingelsematters7 () gmail com> wrote:

> I have installed latest snort version from site sources. I have Linux Mint
> 14 Nadia as my OS.
> I need to write a dynamic processor, so I use dynamic_example preprocessor
> that is in tarball with Snort.
> It's the code https://gist.github.com/AndreiMenkou/4989418
>
> I have a problem with outputting alerts and I don't know how to solve it.
> My dynamic preprocessor is loaded when snort is run. And ExampleProcess
> function that is used to process Snort packets is called.
> The problem actually is in alertAdd function call:
>
> _dpd.alertAdd(GENERATOR_EXAMPLE, SRC_PORT_MATCH, 1, 0, 3, SRC_PORT_MATCH_STR, 0);
>
> I'm sure that it's called but no alerts are generated
> I have added output to file (using FILE* of <stdio.h>) before call to alertAdd function - and it works.
> So the problem is actually with alertAdd itself
>
> I thought that this problem will be solved after configuring output modules, but this didn't helped.
> I have added my custom rule in local.rules and alerts are generated and wroten to expected file. But for 
> _dpd.alertAdd there is nothing :-(
>
>
> How can I solve this problem? Any help would be appreciated
>
> My conf file for output modules look like :
>
> # unified2
> # Recommended for most installs
> output unified2: filename merged.log, limit 128, nostamp, mpls_event_types, vlan_event_types
>
> # Additional configuration for specific types of installs
> output alert_unified2: filename snort.alert, limit 128, nostamp
> output log_unified2: filename snort.log, limit 128, nostamp
>
> # syslog
> output alert_syslog: LOG_AUTH LOG_ALERT
>
> #alert fast
> output alert_fast: alert.fast
>
> # pcap
> # output log_tcpdump: tcpdump.log
>
> # metadata reference data.  do not modify these lines
> include classification.config
> include reference.config
>
>
> Full snort.conf file : https://gist.github.com/AndreiMenkou/4989412
>
>
> Config for dynamic_example preprocessor:
>
>
> preprocessor dynamic_example: port 80
>
>
> Snort is running using command :
> sudo snort -i wlan0 -c Projects/snort/etc/snort.conf -l ./log/
>
>
>
> ------------------------------------------------------------------------------
> Everyone hates slow websites. So do we.
> Make your web apps faster with AppDynamics
> Download AppDynamics Lite for free today:
> http://p.sf.net/sfu/appdyn_d2d_feb
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_feb

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!