Re: unified2 extra data - howto

[Pablo Cantos Polaino <pcantos () redborder org>]

Hi Michal,

I'm working on including some extra data fields related to files captured
by Snort. For that, I'm using the new and experimental File preprocessor
and modifying some pieces of code. Until now, I managed to include in
snort.log.<timestamp> files the extra data which I was interested on. I
hope I could share it shortly.

I would recommend you to put the following line:

p->xtradata_mask |= BIT(config->xtra_funkcion_id);


instead of:

_dpd.streamAPI->set_extra_data(p->stream_session, p,
> config->xtra_funkcion_id);


If this doesn't work, could you use gdb to be sure the
CallBackFunctionUnified2 function is been called?

Best Regards,

Pablo Cantos
redborder.org / pcantos () redborder org

2015-03-25 23:35 GMT+01:00 Michal Keníž <michalkeniz () gmail com>:

> Hello,
>
> I am currently developing a snort dynamic preprocessor. I would like* to
> log some additional data to the unified2-extra field *as described here
> http://manual.snort.org/node44.html#SECTION00637000000000000000 .
>
> I couldn't find any howtos or documentation about this topic, so I tried
> to figure it out by inspecting the smtp preprocessor which uses the extra
> data field (as can be seen here https://www.snort.org/faq/readme-unified2
> ).
>
> I thought it should be enough if i use the following code:
>
>    - Init function ~
>
>
> *static void Init(struct _SnortConfig *sc, char *args){*
> *//basic init stufff ~ config and registering*
>
> *config->xtra_funkcion_id =
> _dpd.streamAPI->reg_xtra_data_cb(CallBackFunctionUnified2);*
> *}*
>
>    - CallBackfunction ~
>
> *int CallBackFunctionUnified2(void *data, uint8_t **buf, uint32_t *len,
> uint32_t *type)*{
>
> *_dpd.logMsg("Npcusum: JUST TRYING IF THIS FUNCTION IS CALLED WHILE
> TRAFFIC PROCESSING \n");*
> * return 0;*
> }
>
>    - Packet processing ~
>
>
> *static void ProcessPacket(void *pkt, void *context)*
> *// not important stuff.*
> *    if ((p->tcp_header->flags & TCPHEADER_FIN) == TCPHEADER_FIN) { //
> just packets with FIN flag*
> *        config->userdata.fin_count = config->userdata.fin_count + 1;*
> * _dpd.logMsg("Npcusum: JUST TRYING TO LOG SOMETHING :\n"); *
> * _dpd.streamAPI->set_extra_data(p->stream_session, p,
> config->xtra_funkcion_id);*
> *    }*
> *// not important stuff.*
>
> But this doesn't work, no log message is displayed (so the function is not
> called at all).
>
> Would it be possible to give me some info/guidlines about using the
> unified2 extra data field in a new dynamic preprocessor - a basic example
> (maybe an extension of the snort example preprocessor?), or just a list of
> requirements I do have to fullfill for it to work.
>
> Thank you for your time,
>
> best regards Michal
>
> --
> Carpe Diem
>
>
> ------------------------------------------------------------------------------
> Dive into the World of Parallel Programming The Go Parallel Website,
> sponsored
> by Intel and developed in partnership with Slashdot Media, is your hub for
> all
> things parallel software development, from weekly thought leadership blogs
> to
> news, videos, case studies, tutorials and more. Take a look and join the
> conversation now. http://goparallel.sourceforge.net/
> _______________________________________________
> Snort-devel mailing list
> Snort-devel () lists sourceforge net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
> Archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel
>
> Please visit http://blog.snort.org for the latest news about Snort!
------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the 
conversation now. http://goparallel.sourceforge.net/

_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!