Snort mailing list archives
Re: [snort-devel] Creating a new variable into a preprocessor and using it in the rules engine
From: Emiliano Fausto <emiliano.fausto () gmail com>
Date: Mon, 13 Jan 2014 18:55:01 -0200
Hi all, after doing some more research on this, I think that although it could be a different way of facing this requirement I have, there could be a way developing a "Detection Plugin". Does anyone know if from my own detection plugin, I could call the "content" or "pcre" one? For instance, I create the detection plugin called: "givesTheUser", which will create these 2 variables into SNORT memory structure (user_surname and user_name). But inside my plugin, I'd like to use the keywords pcre or content, without "re-coding" them, is it possible? have anyone done something similar before? Thanks in advance! Emiliano. 2014/1/10 Emiliano Fausto <emiliano.fausto () gmail com>
hi there, just in case. I know that I would be able to create a Detection-plugin, like the tcpurg example. But the problem is that, I'd rather use the snort detection engine to have the string, hex and prcre full searching features. It would be really hard to me, to start from the scratch doing those functionality. Instead, I'll like to take advantage of them and use them as the http_header does for example. Regards! Emiliano. 2014/1/10 Emiliano Fausto <emiliano.fausto () gmail com>Hi all! I'm developing a preprocessor which takes extra information from a packet, and I'd like that this info is sent to the global SNORT structure to be used into the rules engine. Let's suppose I have a packet with this information: |header| payload| --> Into the Payload, I have the info: Name="John", Surname="Doe". And I create two variables in the preprocessor called: user_name= payload-->Name user_surname= payload-->Surname So, I'd like to know if someone has worked with global variables so that I can create a new rule in SNORT which would be something like: alert udp $EXTERNAL_NET any -> 192.168.0.10 9090 ( user_name; content: "John"; nocase; user_surname; content: "Doe"; nocase; msg: "John Does has logged in to the system"; sid: 12345678; rev: 1; ) Thanks in advance, Emiliano.
------------------------------------------------------------------------------ CenturyLink Cloud: The Leader in Enterprise Cloud Services. Learn Why More Businesses Are Choosing CenturyLink Cloud For Critical Workloads, Development Environments & Everything In Between. Get a Quote or Start a Free Trial Today. http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk
_______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- [snort-devel] Creating a new variable into a preprocessor and using it in the rules engine Emiliano Fausto (Jan 10)
- Re: [snort-devel] Creating a new variable into a preprocessor and using it in the rules engine Emiliano Fausto (Jan 10)
- Re: [snort-devel] Creating a new variable into a preprocessor and using it in the rules engine Emiliano Fausto (Jan 13)
- Re: [snort-devel] Creating a new variable into a preprocessor and using it in the rules engine Emiliano Fausto (Jan 15)
- Re: [snort-devel] Creating a new variable into a preprocessor and using it in the rules engine Emiliano Fausto (Jan 13)
- Re: [snort-devel] Creating a new variable into a preprocessor and using it in the rules engine Emiliano Fausto (Jan 10)