Snort mailing list archives

Re: Duplicate/similar struct definitions between src/decoder.h and src/dynamic_plugins/sf_engine/sf_snort_packet.h?

From: Steven Sturges <ssturges () sourcefire com>
Date: Thu, 11 Aug 2011 12:33:17 -0400

Hi Joshua--

There are definitely some legacy reasons for this.  :)

When we added the .so's (dynamic rule engine & .so rules, and the 
dynamic preprocessors) to Snort, circa 2.6, there was a desire to be
able to decouple them from the main Snort.  So, the data structures
that were shared (packet, protocol headers, etc) were replicated to
allow for independent building of those dynamic components, without
having to change everything that was already in Snort -- packet
decoder, preprocessors (Frag, Stream, etc), pattern matcher, rules 
engine, output plugins, etc.

Over time things have evolved even more, and there is code that is
shared between Snort and the dynamic components via direct build.
Those elements get built in the module where its needed.  An example of
that is the memory pool that is used in the SMTP preprocessor as well
as other places within Snort.

Cheers
-steve

On 8/11/11 12:55 AM, Joshua.Kinard () us-cert gov wrote:


Hi snort-devel,

Looking through src/decoder.h at the typedef/struct for 'Packet', a
comment says that if any changes were made, to update the similar
definition in sf_snort_packet.h.  Opening that file up, pretty much, all
the same data structures from decoder.h are duplicated, just with minor
variations (like u_int32_t versus uint32_t).

My question is why?

Wouldn't it be better to have a single, common definition in a central
header file for all the various protocol headers (IPv4, IPv6, TCP, UDP,
MPLS, etc), rather than re-defining multiple variants?  Aside from the
changes in the data types (which I am sure are just typedefs of each
other) and the names, everything looks the exact same.

Example:

src/decoder.h:
     typedef struct _UDPHdr
     {
         uint16_t uh_sport;
         uint16_t uh_dport;
         uint16_t uh_len;
         uint16_t uh_chk;
     }       UDPHdr;

src/dynamic_plugins/sf_engine/sf_snort_packet.h:
     typedef struct _UDPHeader
     {
         u_int16_t source_port;
         u_int16_t destination_port;
         u_int16_t data_length;
         u_int16_t checksum;
     } UDPHeader;

Seems wasteful, but maybe there is some kind of legacy issue that is
undocumented?

--J

------------------------------------------------------------------------------
Get a FREE DOWNLOAD! and learn more about uberSVN rich system,
user administration capabilities and model configuration. Take
the hassle out of deploying and managing Subversion and the
tools developers use with it.
http://p.sf.net/sfu/wandisco-dev2dev
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel


------------------------------------------------------------------------------
Get a FREE DOWNLOAD! and learn more about uberSVN rich system, 
user administration capabilities and model configuration. Take 
the hassle out of deploying and managing Subversion and the 
tools developers use with it. 
http://p.sf.net/sfu/wandisco-dev2dev
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel

Current thread:

Duplicate/similar struct definitions between src/decoder.h and src/dynamic_plugins/sf_engine/sf_snort_packet.h? Joshua.Kinard (Aug 10)
- Re: Duplicate/similar struct definitions between src/decoder.h and src/dynamic_plugins/sf_engine/sf_snort_packet.h? Steven Sturges (Aug 11)
  - Re: Duplicate/similar struct definitions between src/decoder.h and src/dynamic_plugins/sf_engine/sf_snort_packet.h? Joshua.Kinard (Aug 11)