Snort mailing list archives

Re: Need help to know which files to be changed in Dynamic preprocessor starter kit

From: Russ Combs <rcombs () sourcefire com>
Date: Thu, 26 Dec 2013 10:26:21 -0500

Looks like you need to rebuild and add these to your configure:

    --enable-active-response --enable-reload --enable-control-socket

and possibly others.  Try that and let's see where you are.


On Thu, Dec 26, 2013 at 8:13 AM, Emiliano Fausto
<emiliano.fausto () gmail com>wrote:

Hello Amtul,

I think you could start from the scratch and try to follow this guide:

You'll see that after completing it, you'll get a lot of knowledge about
how dynamic pre-processors work and how to use them and code a new one.

I know I'm not answering directly to the errors/warnings you are finding
in your setup, but it's a really good start point, and it helped me a lot
to start coding pre-processors into SNORT.

Kind regards,

2013/12/26 Amtul Saboor <saboor.amtul () gmail com>


According to what Russ said, i made changes in dpx.c and
sf_preproc_info.h according to my needs.

I did all the things from start, i.e. ./ that worked fine, then
:  ./ , but at this step I have faced toooo many errors. If i had
to change only dpx.c and sf_preproc_info.h, why am i getting errors in
other files when i run .

The few errors are:

error: expected declaration specifiers or '...' before
error: expected declaration specifiers or '...' before
error: expected declaration specifiers or '...' before
error: storage class specified for parameter 'PreprocRegisterFunc'
error: storage class specified for parameter 'GetRelatedReloadDataFunc'
error: expected declaration specifiers or '...' before 'snort_ip_p'
error: expected declaration specifiers or '...' before 'snort_ip_p'
error: storage class specified for parameter 'ThresholdCheckFunc'
error: storage class specified for parameter 'InlineDropFunc'
error: storage class specified for parameter 'ActiveEnableFunc'
error: storage class specified for parameter 'DisableDetectFunc'
error: storage class specified for parameter 'SetPreprocBitFunc'
error: storage class specified for parameter 'DetectFunc'
error: storage class specified for parameter 'GetRuleInfoByNameFunc'
error: storage class specified for parameter 'GetRuleInfoByIdFunc'
error: storage class specified for parameter 'printfappendfunc'
error: storage class specified for parameter 'TokenSplitFunc'
error: storage class specified for parameter 'TokenFreeFunc'
error: storage class specified for parameter 'AddPreprocProfileFunc'
error: storage class specified for parameter 'ProfilingFunc'
error: storage class specified for parameter 'PreprocessFunc'
error: storage class specified for parameter 'PreprocStatsRegisterFunc'
error: storage class specified for parameter 'AddPreprocReset'
error: storage class specified for parameter 'AddPreprocResetStats'
error: storage class specified for parameter 'AddPreprocReassemblyPktFunc'
error: storage class specified for parameter
error: storage class specified for parameter 'DisablePreprocessorsFunc'
error: storage class specified for parameter 'FindProtocolReferenceFunc'
error: storage class specified for parameter 'AddProtocolReferenceFunc'
error: storage class specified for parameter 'IsAdaptiveConfiguredFunc'
warning: parameter names (without types) in function declaration
error: expected declaration specifiers or '...' before 'tSfPolicyId'
error: storage class specified for parameter
error: storage class specified for parameter 'IP6BuildFunc'
error: storage class specified for parameter 'IP6SetCallbacksFunc'
error: expected declaration specifiers or '...' before 'PreprocOptionInit'
error: expected declaration specifiers or '...' before 'PreprocOptionEval'
error: expected declaration specifiers or '...' before
error: expected declaration specifiers or '...' before 'PreprocOptionHash'
error: expected declaration specifiers or '...' before
error: expected declaration specifiers or '...' before
error: expected declaration specifiers or '...' before
error: storage class specified for parameter 'AddKeywordOverrideFunc'
error: expected declaration specifiers or '...' before
error: storage class specified for parameter 'AddKeywordByteOrderFunc'
error: storage class specified for parameter 'IsPreprocEnabledFunc'
error: storage class specified for parameter 'PortArrayFunc'
error: storage class specified for parameter 'AlertQueueLog'
error: storage class specified for parameter 'AlertQueueControl'
warning: empty declaration
error: expected declaration specifiers or '...' before 'tSfPolicyId'
error: storage class specified for parameter 'SetPolicyFunc'
error: expected declaration specifiers or '...' before '*' token
warning: type defaults to 'int' in declaration of 'tSfPolicyId'
error: storage class specified for parameter 'tSfPolicyId'
error: 'tSfPolicyId' declared as function returning a function
error: redefinition of parameter 'tSfPolicyId'
/root/snort/src/dynamic-examples/include/sfPolicy.h:184: note: previous
definition of 'tSfPolicyId' was here
error: expected ')' before 'void'
error: storage class specified for parameter 'SetFileDataPtrFunc'
error: storage class specified for parameter 'DetectResetFunc'
error: storage class specified for parameter 'SetAltDecodeFunc'
error: storage class specified for parameter 'DetectFlagEnableFunc'
warning: parameter names (without types) in function declaration
error: storage class specified for parameter 'DynamicStrtol'
error: storage class specified for parameter 'DynamicStrtoul'
error: storage class specified for parameter 'DynamicStrnStr'
error: storage class specified for parameter 'DynamicStrcasestr'
error: storage class specified for parameter 'DynamicStrncpy'
error: storage class specified for parameter 'DynamicStrnPbrk'
error: storage class specified for parameter 'EvalRTNFunc'
error: storage class specified for parameter 'EncodeNew'
error: storage class specified for parameter 'EncodeDelete'
error: storage class specified for parameter 'EncodeUpdate'
error: storage class specified for parameter 'EncodeFormat'
error: storage class specified for parameter 'PafEnabledFunc'
error: storage class specified for parameter 'GetLogDirectory'
error: expected declaration specifiers or '...' before 'OOBPreControlFunc'
error: expected declaration specifiers or '...' before 'IBControlFunc'
error: expected declaration specifiers or '...' before 'OOBPostControlFunc'
error: storage class specified for parameter
error: storage class specified for parameter 'RegisterIdleHandler'
warning: parameter names (without types) in function declaration
error: storage class specified for parameter 'DynamicSendBlockResponse'
error: storage class specified for parameter 'ActiveInjectDataFunc'
error: storage class specified for parameter 'DynamicSetFlowId'
error: storage class specified for parameter 'DynamicIsStrEmpty'
error: storage class specified for parameter 'AddPeriodicCheck'
error: storage class specified for parameter 'AddPostConfigFuncs'
In file included from sf_dynamic_preproc_lib.c:37:
error: storage class specified for parameter 'AddOutPutModule'
error: storage class specified for parameter 'CanWhitelist'
error: storage class specified for parameter 'DisableAllPoliciesFunc'
error: storage class specified for parameter 'ReenablePreprocBitFunc'
error: storage class specified for parameter 'DynamicCheckValueInRangeFunc'
error: storage class specified for parameter 'DynamicReadyForProcessFunc'
error: expected specifier-qualifier-list before 'SFDataBuffer'
error: storage class specified for parameter 'DynamicPreprocessorData'
error: expected ')' before '*' token
error: expected '=', ',', ';', 'asm' or '__attribute__' before '_dpd'
sf_dynamic_preproc_lib.c:40: error: expected declaration specifiers
before 'DynamicPreprocessorData'
sf_dynamic_preproc_lib.c:43: error: expected '=', ',', ';', 'asm' or
'__attribute__' before '{' token
sf_dynamic_preproc_lib.c:59: error: expected declaration specifiers
before '__attribute__'
sf_dynamic_preproc_lib.c:79: error: expected declaration specifiers
before '__attribute__'
sf_preproc_info.h:36: error: old-style parameter declarations in
prototyped function definition
sf_preproc_info.h:36: error: parameter name omitted
sf_preproc_info.h:36: error: parameter name omitted
sf_preproc_info.h:37: error: parameter name omitted
sf_dynamic_preproc_lib.c:89: error: expected '{' at end of input
make[2]: *** [sf_dynamic_preproc_lib.lo] Error 1
make[1]: *** [install] Error 2
make: *** [install-recursive] Error 1

Please guide me

On Tue, Nov 26, 2013 at 3:43 PM, Amtul Saboor <saboor.amtul () gmail com>wrote:


I need to verify if I am doing it correctly. because i dont think dpx.c
is running the way it should. This is my output when i type ./ :

root@bt:/usr/src/dpx-1.6# cd /usr/src/dp
root@bt:/usr/src/dp# ./
./ line 1: /root/snort: is a directory
Running in IDS mode

        --== Initializing Snort ==--
Initializing Output Plugins!
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file "test/snort.conf"
Tagged Packet Limit: 256
Loading all dynamic preprocessor libs from
  Loading dynamic preprocessor library
lib/snort_dynamicpreprocessor/ done
  Finished Loading all dynamic preprocessor libs from
Log directory = /var/log/snort

Initializing rule chains...
4 Snort rules read
    4 detection rules
    0 decoder rules
    0 preprocessor rules
2 Option Chains linked into 2 Chain Headers
0 Dynamic rules

+-------------------[Rule Port
|             tcp     udp    icmp      ip
|     src       0       0       0       0
|     dst       0       0       0       0
|     any       4       0       0       0
|      nc       4       0       0       0
|     s+d       0       0       0       0


| memory-cap : 1048576 bytes

| none


| memory-cap : 1048576 bytes

| none


| memory-cap : 1048576 bytes


| none

| none

Rule application order:
Verifying Preprocessor Configurations!

[ Port Based Pattern Matching Memory ]
pcap DAQ configured to read-file.
The DAQ version does not support reload.
Acquiring network traffic from "test/test.pcap".
Reload thread starting...
Reload thread started, thread 0xb6997b70 (1754)

        --== Initialization Complete ==--

   ,,_     -*> Snort! <*-
  o"  )~   Version GRE (Build 205)
   ''''    By Martin Roesch & The Snort Team:
           Copyright (C) 1998-2013 Sourcefire, Inc., et al.
           Using libpcap version 1.0.0
           Using PCRE version: 7.8 2008-09-05
           Using ZLIB version:

           Preprocessor Object: dpx  Version 1.6  <Build 1>
Commencing packet processing (pid=1753)
3    256    2    0
4    256    2    0
5    256    1    0

Run time for packet processing was 0.994 seconds
Snort processed 6 packets.
Snort ran for 0 days 0 hours 0 minutes 0 seconds
   Pkts/sec:            6

Packet I/O Totals:
   Received:            6
   Analyzed:            6 (100.000%)
    Dropped:            0 (  0.000%)
   Filtered:            0 (  0.000%)
Outstanding:            0 (  0.000%)
   Injected:            0

Breakdown by protocol (includes rebuilt packets):
        Eth:            6 (100.000%)
       VLAN:            0 (  0.000%)
        IP4:            6 (100.000%)
       Frag:            0 (  0.000%)
       ICMP:            0 (  0.000%)
        UDP:            0 (  0.000%)
        TCP:            6 (100.000%)
        IP6:            0 (  0.000%)
    IP6 Ext:            0 (  0.000%)
   IP6 Opts:            0 (  0.000%)
      Frag6:            0 (  0.000%)
      ICMP6:            0 (  0.000%)
       UDP6:            0 (  0.000%)
       TCP6:            0 (  0.000%)
     Teredo:            0 (  0.000%)
    ICMP-IP:            0 (  0.000%)
    IP4/IP4:            0 (  0.000%)
    IP4/IP6:            0 (  0.000%)
    IP6/IP4:            0 (  0.000%)
    IP6/IP6:            0 (  0.000%)
        GRE:            0 (  0.000%)
    GRE Eth:            0 (  0.000%)
   GRE VLAN:            0 (  0.000%)
    GRE IP4:            0 (  0.000%)
    GRE IP6:            0 (  0.000%)
GRE IP6 Ext:            0 (  0.000%)
   GRE PPTP:            0 (  0.000%)
    GRE ARP:            0 (  0.000%)
    GRE IPX:            0 (  0.000%)
   GRE Loop:            0 (  0.000%)
       MPLS:            0 (  0.000%)
        ARP:            0 (  0.000%)
        IPX:            0 (  0.000%)
   Eth Loop:            0 (  0.000%)
   Eth Disc:            0 (  0.000%)
   IP4 Disc:            0 (  0.000%)
   IP6 Disc:            0 (  0.000%)
   TCP Disc:            0 (  0.000%)
   UDP Disc:            0 (  0.000%)
  ICMP Disc:            0 (  0.000%)
All Discard:            0 (  0.000%)
      Other:            0 (  0.000%)
Bad Chk Sum:            0 (  0.000%)
    Bad TTL:            0 (  0.000%)
     S5 G 1:            0 (  0.000%)
     S5 G 2:            0 (  0.000%)
      Total:            6

Action Stats:
     Alerts:            3 ( 50.000%)
     Logged:            3 ( 50.000%)
     Passed:            0 (  0.000%)
      Match:            0
      Queue:            0
        Log:            0
      Event:            0
      Alert:            0
      Allow:            6 (100.000%)
      Block:            0 (  0.000%)
    Replace:            0 (  0.000%)
  Whitelist:            0 (  0.000%)
  Blacklist:            0 (  0.000%)
     Ignore:            0 (  0.000%)
Snort exiting


*Amtul Saboor*

*MS (Information Security)*

*Military College of Signals, National University of Science &
Technology, Rawalpindi *


Rapidly troubleshoot problems before they affect your business. Most IT
organizations don't have a clear picture of how application performance
affects their revenue. With AppDynamics, you get 100% visibility into your
Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics

Snort-devel mailing list
Snort-devel () lists sourceforge net

Please visit for the latest news about Snort!

Rapidly troubleshoot problems before they affect your business. Most IT
organizations don't have a clear picture of how application performance
affects their revenue. With AppDynamics, you get 100% visibility into your
Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics
Snort-devel mailing list
Snort-devel () lists sourceforge net

Please visit for the latest news about Snort!

Rapidly troubleshoot problems before they affect your business. Most IT 
organizations don't have a clear picture of how application performance 
affects their revenue. With AppDynamics, you get 100% visibility into your 
Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro!
Snort-devel mailing list
Snort-devel () lists sourceforge net

Please visit for the latest news about Snort!

Current thread: