Re: Writing a dynamic rules

[Patrick Mullen <pmullen () sourcefire com>]

Hello!

Before I offer assistance, I want to clarify terms a bit --

Are you looking to write a shared object rule, using C to create
detection?  Or are you trying to write a rule option where you are
trying to create a new rule option that can be used in text rules
within snort?

If you're trying to write a shared object rule, I recommend using the
SO Generator located on http://vrt.snort.org.  Unfortunately, I just
discovered that the sip_* options are not currently handled (added to
my todo list now) but what you can do is use the dce_* options as
analogues to get the information you need on how to set up the
structures.  Just substitute the "dce" names in the structures with
the relevant "sip" names and you should be good to go.

This example rule will set up similar structures you can modify and
use in what you're writing --

alert tcp any any -> any any (msg:"test"; flow:to_client,established;
dce_opnum:10; dce_stub_data; content:"hello"; classtype:misc-activity;
sid:64002;)

dce_opnum would be very similar to what you would do for sip_method
and sip_stat_code.

dce_stub_data would be very similar to what you would do for sip_body
and sip_header (they both work like file_data, as opposed to being an
option to contentMatch like http_header, http_uri, etc).

Hope this helps.


Thanks,

~Patrick

On Sun, Nov 10, 2013 at 12:51 AM, donfack zeufack hermann
<donfack.hermann () gmail com> wrote:
> Hi
>
> First of all sorry for my english, and if my question is trivial and i'm
> new in SNORT development and i just try my best to understand it.
>
> I need to write a dynamic rule plugin for the SIP packet, I have also
> read all code of SIP dynamic preprocessor and understand how it work.
>
> But I have a problem, How can I use the preprocessorOption define in the
> sf_snort_plugin_api  to use SIP Rule Option defined by the SIP dynamic
> preprocessor ?
> is it even possible ?
>
> If it is not possible, can you give me a little example how to use the
> preprocessorOption ?
>
> Thanks in advance your help.
>
> ------------------------------------------------------------------------------
> November Webinars for C, C++, Fortran Developers
> Accelerate application performance with scalable programming models. Explore
> techniques for threading, error checking, porting, and tuning. Get the most
> from the latest Intel processors and coprocessors. See abstracts and register
> http://pubads.g.doubleclick.net/gampad/clk?id=60136231&iu=/4140/ostg.clktrk
> _______________________________________________
> Snort-devel mailing list
> Snort-devel () lists sourceforge net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
> Archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel
>
> Please visit http://blog.snort.org for the latest news about Snort!



-- 
Patrick Mullen
Response Research Manager
Sourcefire VRT

------------------------------------------------------------------------------
November Webinars for C, C++, Fortran Developers
Accelerate application performance with scalable programming models. Explore
techniques for threading, error checking, porting, and tuning. Get the most 
from the latest Intel processors and coprocessors. See abstracts and register
http://pubads.g.doubleclick.net/gampad/clk?id=60136231&iu=/4140/ostg.clktrk
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!