Snort mailing list archives

Re: ruletype declaration breaks u2 output for log_uri/log_hostname (with testcase)

From: Martijn van Oosterhout <kleptog () gmail com>
Date: Fri, 13 Jun 2014 14:57:44 +0200

And I've found the root cause of the problem. Basically it's this code in
src/preprocessors/spp_stream5.c:

static void Stream5RegisterXtraDataLog(LogExtraData f, void *config)
{
    extra_data_log = f;
    extra_data_config = config;
}

Basically, the way this code is written there can only be a single output
plugin that gets the extra data. And it will be the last plugin that calls
this function to register itself.

The registration happens in
src/output-plugins/spo_unified2.c:Unified2PostConfig() so happens for any
unified2 output, no matter how you configure it.

I noticed this because there was data being logged to the snort.testing.u2
logfile even though no rules matched. What happens is that the extra data
will always be logged to the *last* custom ruletype that defines a unified2
output. Because of the way ConfigureOutputPlugins() is written there is no
way to give priority to the main output plugins.

Basically, I think the way this is done is wrong and the extra data
callback should be handled the same as the output plugins and should be
stored in the ListHead. That's the only way to ensure that the extra data
ends up in the same file as the alert and packet.

Hope this makes everything clearer.
-- 
Martijn van Oosterhout <kleptog () gmail com> http://svana.org/kleptog/

------------------------------------------------------------------------------
HPCC Systems Open Source Big Data Platform from LexisNexis Risk Solutions
Find What Matters Most in Your Big Data with HPCC Systems
Open Source. Fast. Scalable. Simple. Ideal for Dirty Data.
Leverages Graph Analysis for Fast Processing & Easy Data Exploration
http://p.sf.net/sfu/hpccsystems

_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!

Current thread:

ruletype declaration breaks u2 output for log_uri/log_hostname (with testcase) Martijn van Oosterhout (Jun 11)
- Re: ruletype declaration breaks u2 output for log_uri/log_hostname (with testcase) Joel Esler (jesler) (Jun 11)
  - Re: ruletype declaration breaks u2 output for log_uri/log_hostname (with testcase) Nicholas Mavis (nmavis) (Jun 11)
  - Re: ruletype declaration breaks u2 output for log_uri/log_hostname (with testcase) Martijn van Oosterhout (Jun 12)
    - Re: ruletype declaration breaks u2 output for log_uri/log_hostname (with testcase) Martijn van Oosterhout (Jun 13)
    - Re: ruletype declaration breaks u2 output for log_uri/log_hostname (with testcase) Martijn van Oosterhout (Jun 13)