Snort mailing list archives
Re: Snort 3.0: Actions
From: "Russ Combs (rucombs)" <rucombs () cisco com>
Date: Thu, 5 Feb 2015 12:08:28 +0000
Sancho, That's not how these actions work. Action plugins have a builtin action associated with them (alert, drop, etc.). When you define a new action plugin, like reject, you don't modify the source code. Just use the given API. If you send me your source I can help you get it working. Thanks Russ ________________________________________ From: Sancho Panza [sancho () posteo de] Sent: Thursday, February 05, 2015 5:34 AM To: Russ Combs (rucombs) Cc: snort-devel () lists sourceforge net Subject: RE: [Snort-devel] Snort 3.0: Actions Hello! After I wrote yesterday I had another look at it all and found out a few more things.
* Drop doesn't have an action because it is built in. Externally
I think the reason why the actions/act_reject.cc module doesn't kick in is because its rule type is set to RULE_TYPE__DROP in rej_api.
defined actions must be configured to become available to the parser. For the reject rule, you can set reject = { } to get the rule to parse. It won't work without setting the type of response (reject.reset, etc.) but I just discovered that will fail in the encoder (it *used* to work :). So don't try that (or react) until we get a fix out.
I tried by defining RULE_TYPE__REJECT in actions/actions.h and setting the rule type of rej_api to that newly defined value. I also had to add add "reject" to the "static const char* const rule_type[RULE_TYPE__MAX]" array in actions/actions.cc. After that, the exec() function from actions/act_reject.cc got called for a reject type rule. But I'm not sure whether it's supposed to work like that, or am I just improvising... Regards Sancho ------------------------------------------------------------------------------ Dive into the World of Parallel Programming. The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials and more. Take a look and join the conversation now. http://goparallel.sourceforge.net/ _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Snort 3.0: Actions Sancho Panza (Feb 04)
- Re: Snort 3.0: Actions Russ Combs (rucombs) (Feb 04)
- Re: Snort 3.0: Actions Sancho Panza (Feb 05)
- Re: Snort 3.0: Actions Russ Combs (rucombs) (Feb 05)
- Re: Snort 3.0: Actions Sancho Panza (Feb 05)
- Re: Snort 3.0: Actions Russ Combs (rucombs) (Feb 05)
- Re: Snort 3.0: Actions Sancho Panza (Feb 05)
- Re: Snort 3.0: Actions Russ Combs (rucombs) (Feb 04)