Snort mailing list archives
Re: how to use stream5 reassembler to reassemble tcp packet?
From: Mitesh Jadia <mitesh.jadia () gmail com>
Date: Thu, 6 Nov 2014 18:52:39 +0530
Yes you can use _dpd.streamAPI->register_paf_port function. you can see it's simplest example in snort_ftptelnet.c it is like.. _dpd.streamAPI->register_paf_port(sc, policy_id, (uint16_t)i, true, ftp_paf, false); This function just finds last \n character in available buffer and flushes all bytes including last \n byte found. ftp_paf function is registered for traffic comming on port called i(3rd argument) here. So for each packet this ftp_paf function will be called. you do not have to worry about out-of-order packets, you will get all packets in session sequentially. There are some return values for this callback function which you need to understand. They are like PAF_FLUSH -- It sets the flush point in session. Stream6 will flush automatically flush stream (data upto your registered flush point) PAF_ABORT -- Stops calling callback function after current packet on session. PAF_SEARCH -- Default return value should be this one. when PAF_SEARCH is returned stream6 understands that called needs more packets to identify fp on this session. So it will continue sending each packets to callback function. ... Regards, Mitesh Jadia On Thu, Nov 6, 2014 at 6:25 PM, Mohiuddin Ebna Kawsar < mohiuddin.kawsar () gmail com> wrote:
Hi, I am trying to build a dynamic-preprocessor for snort.I need to reassemble TCP packet in specific case. can i use stream5 preprocessor for this? if yes, how? is there any example.. waiting for your answer..... Regards Kawsar ------------------------------------------------------------------------------ _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel Please visit http://blog.snort.org for the latest news about Snort!
------------------------------------------------------------------------------
_______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- how to use stream5 reassembler to reassemble tcp packet? Mohiuddin Ebna Kawsar (Nov 06)
- Re: how to use stream5 reassembler to reassemble tcp packet? Mitesh Jadia (Nov 06)