Snort mailing list archives
Re: Cannot get alert from dynamic_example preprocessor in output
From: Андрей Меньков <nothingelsematters7 () gmail com>
Date: Wed, 20 Feb 2013 08:59:08 +0300
Great, it helped. Thank you very much, Victor. I have another little question about how could I get to know about preprocessor rules? Could you please point me to documentation place about them? I have used this tutorial for building my preprocessor http://www.sans.org/reading_room/whitepapers/tools/developing-snort-dynamic-preprocessor_32874 . There is nothing in it about preprocessor rules. They use dynamic_example from Snort sources too. May be the cause is that this tutorial is out-dated? On 20 February 2013 00:16, Victor Roemer <vroemer () sourcefire com> wrote:
I don't see where you actually enabled a preprocessor rule in your configuration.. Should look something like this... alert (msg:"Just lookn at dem source ports!"; sid:1; gid:256; rev:1; metadata:rule-type preproc;) Altering msg to your liking.. On Tue, Feb 19, 2013 at 3:09 PM, Андрей Меньков < nothingelsematters7 () gmail com> wrote:I have installed latest snort version from site sources. I have Linux Mint 14 Nadia as my OS. I need to write a dynamic processor, so I use dynamic_example preprocessor that is in tarball with Snort. It's the code https://gist.github.com/AndreiMenkou/4989418 I have a problem with outputting alerts and I don't know how to solve it. My dynamic preprocessor is loaded when snort is run. And ExampleProcess function that is used to process Snort packets is called. The problem actually is in alertAdd function call: _dpd.alertAdd(GENERATOR_EXAMPLE, SRC_PORT_MATCH, 1, 0, 3, SRC_PORT_MATCH_STR, 0); I'm sure that it's called but no alerts are generated I have added output to file (using FILE* of <stdio.h>) before call to alertAdd function - and it works. So the problem is actually with alertAdd itself I thought that this problem will be solved after configuring output modules, but this didn't helped. I have added my custom rule in local.rules and alerts are generated and wroten to expected file. But for _dpd.alertAdd there is nothing :-( How can I solve this problem? Any help would be appreciated My conf file for output modules look like : # unified2 # Recommended for most installs output unified2: filename merged.log, limit 128, nostamp, mpls_event_types, vlan_event_types # Additional configuration for specific types of installs output alert_unified2: filename snort.alert, limit 128, nostamp output log_unified2: filename snort.log, limit 128, nostamp # syslog output alert_syslog: LOG_AUTH LOG_ALERT #alert fast output alert_fast: alert.fast # pcap # output log_tcpdump: tcpdump.log # metadata reference data. do not modify these lines include classification.config include reference.config Full snort.conf file : https://gist.github.com/AndreiMenkou/4989412 Config for dynamic_example preprocessor: preprocessor dynamic_example: port 80 Snort is running using command : sudo snort -i wlan0 -c Projects/snort/etc/snort.conf -l ./log/ ------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_d2d_feb _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_d2d_feb
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Cannot get alert from dynamic_example preprocessor in output Андрей Меньков (Feb 19)
- Re: Cannot get alert from dynamic_example preprocessor in output Victor Roemer (Feb 19)
- Re: Cannot get alert from dynamic_example preprocessor in output Андрей Меньков (Feb 19)
- Re: Cannot get alert from dynamic_example preprocessor in output Андрей Меньков (Feb 19)
- Re: Cannot get alert from dynamic_example preprocessor in output Андрей Меньков (Feb 19)
- Re: Cannot get alert from dynamic_example preprocessor in output Victor Roemer (Feb 19)