Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [PATCH] Add non-IP layer 3 detection via new 'ether_type' keyword and 'eth' protocol

From: Joshua Kinard <kumba () gentoo org>
Date: Mon, 26 Dec 2011 19:06:35 -0500
With the release of snort-2.9.2 final, I rebased my work for the ether_type
rule option.  Some of the data types changed which required it.

In addition, I added the bit of code to DecodeIEEE80211Pkt to make it work
with ether_type (no time to fix the mess w/ LLC/SNAP frame decoding right
now), and I added documentation to the snort manual for the new option and
tested it once I got the TeX tools setup and working.

Attached patch only modifies the snort_manual.tex file, so the PDF would
need to be regenerated in an upcoming release if this is accepted.

And lets not forget the hyperlinks in the manual next time :)

Changes:
 doc/snort_manual.tex                            |  105 ++++++
 src/decode.c                                    |  120 +++++++
 src/decode.h                                    |   27 +
 src/detect.c                                    |   42 +-
 src/detection-plugins/Makefile.am               |    3
 src/detection-plugins/Makefile.in               |    8
 src/detection-plugins/detection_options.c       |   14
 src/detection-plugins/sp_ether_type.c           |  361 ++++++++++++++++++++++++
 src/detection-plugins/sp_ether_type.h           |  125 ++++++++
 src/dynamic-plugins/sf_engine/sf_snort_packet.h |    3
 src/fpcreate.c                                  |  252 +++++++++++++---
 src/fpcreate.h                                  |    7
 src/fpdetect.c                                  |  241 ++++++++++------
 src/fpdetect.h                                  |   12
 src/parser.c                                    |  183 ++++++++----
 src/plugbase.c                                  |    2
 src/plugin_enum.h                               |    1
 src/rule_option_types.h                         |    3
 src/sfutil/sfportobject.h                       |    7
 src/snort.c                                     |   14
 src/snort.h                                     |    4
 21 files changed, 1313 insertions(+), 221 deletions(-)


Cheers!

-- 
Joshua Kinard
Gentoo/MIPS
kumba () gentoo org
4096R/D25D95E3 2011-03-28

"The past tempts us, the present confuses us, the future frightens us.  And
our lives slip away, moment by moment, lost in that vast, terrible in-between."

--Emperor Turhan, Centauri Republic

Attachment: snort-2.9.2-ether_type-support.patch
Description: 

------------------------------------------------------------------------------
Write once. Port to many.
Get the SDK and tools to simplify cross-platform app development. Create 
new or port existing apps to sell to consumers worldwide. Explore the 
Intel AppUpSM program developer opportunity. appdeveloper.intel.com/join
http://p.sf.net/sfu/intel-appdev
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: