Re: Preprocessor's process function not called due to wrong pp_enabled masks

[Michael Altizer <xiche () verizon net>]

On 06/28/2016 02:17 PM, Matthias Wübbeling wrote:
> Hi folks,
>
> I experience some problems developing a dynamic preprocessor (it works
> fine with Snort <= 2.9.6.2 but there are some issues with more recent
> versions). Setup and initialization pass without any problems but the
> process function itself is never called. I've seen emails regarding the
> same or a similar problem, they just got no answer.
>
> I started digging into it (using Snort version 2.9.8.3) and found out,
> that the process function is not called as the pp_enabled bitmask (of
> the policy) has never been set for any port,
> IsPreprocessorEnabled(p,ppn->preproc_bit) fails in src/detect.c:140.
> *This seems odd to me*.
>
> After adding the following lines of code to plugbase.c (line 989 ff) the
> pp's process function is called as desired.
>
>   989     uint32_t port;
>   990     for( port = 0; port < MAX_PORTS; port++ )
>   991       p->pp_enabled[ port ] |= ( UINT64_C(1) << node->preproc_id );
>
>
> The dynamic-preprocessors contained in the source release rely on the
> session or stream5 API (both are not dynamic). In
> preprocessors/spp_session.c the pp_enabled is set for all ports accordingly.
>
> I tried to set the pp_enabled bitmask directly inside my pp's
> init function but there is no SnortPolicy struct defined in
> the dynamic-preprocessors/include headers providing access to pp_enabled.
>
> When including src/snort.h (it defines SnortPolicy) from my pp, this
> fails due to header problems defining structs multiple times (see below)
> so this is no solution to get SnortPolicy into the pp.
>
> E.g. _CiscoMetaHdr is defined in the following files (grep output):
>
> decode.h:typedef struct _CiscoMetaHdr
> detection-plugins/sf_snort_packet.h:typedef struct _CiscoMetaHdr
> dynamic-plugins/sf_engine/sf_snort_packet.h:typedef struct _CiscoMetaHdr
> dynamic-preprocessors/include/sf_snort_packet.h:typedef struct _CiscoMetaHdr
>
> So using snort.h is no opportunity.
>
> What do you think might be the best way to set the pp_enabled bitmap
> correctly? Or am I wrong? I do not really want to enable all dynamic pps
> for all ports in plugbase.c but obviously, there is no other way.
>
> Thanks in advance.
>
> Kind regards,
> - Matthias
Is there some reason that you're trying to avoid using the sessionAPI 
(_dpd.sessionAPI->enable_preproc_for_port()) to define which port(s) you 
want the preprocessor to run on?  If you really want it to run 
everywhere all the time, you can use _dpd.addPreprocAllPolicies() and 
_dpd.sessionAPI->enable_preproc_all_ports_all_policies(), or their 
policy-specific variants.  (That still obviously relies on the Session API.)



------------------------------------------------------------------------------
Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in San
Francisco, CA to explore cutting-edge tech and listen to tech luminaries
present their vision of the future. This family event has something for
everyone, including kids. Get more information and register today.
http://sdm.link/attshape
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!