Snort mailing list archives
Re: Dynamic Preprocessor- packets from established flows
From: Todd Wease <twease () sourcefire com>
Date: Wed, 30 Jan 2013 09:33:35 -0500
Hi Alex, On Tue, Jan 29, 2013 at 3:01 PM, Alex Adamos <alexthakidadam () hotmail com> wrote:
Hi, i managed to get my own preprocessor running (using DPX starter kit). I would like to know when a packet gets called by my preprocessor, whether it's from an established flow or not. Can anyone help me how to do this?
Your preprocessor will be called in src/detect.c:Preprocess(). It will get called for any TCP/UDP packet with application data, raw off the wire, IP frag reassembled (via frag3) or TCP reassembled (via stream5).
Also, i have a counter to the packets being processed by my DPX, and i see a significant difference with the other preprocessors. It's like my DPX doesn't get called for every packet. I add my preprocessor like this : _dpd.addPreproc(DPX_Process, PRIORITY_LAST,PP_DPX,PROTO_BIT__TCP|PROTO_BIT__UDP);
This looks correct, however you've given it PRIORITY_LAST which means most of the other preprocessors are going to run before yours and there are some that will disable other preprocessors if they decided to do inspection which may be why your preprocessor isn't being called as often as you would think. For example if http_inspect evaluates a packet, it's likely HTTP, and the other application layer preprocessors don't need to look at it. If you want your preprocessor to run regardless, you could give it a higher priority, specifically higher than PRIORITY_APPLICATION, or look for DisableDetect(), disableDetect(), DisableAllDetect() and disableAllDetect() in the code - you'll likely see that when these are called, some other preprocessors are re-enabled and you could add a similar line for your preprocessor.
thanks, Alex.
------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_d2d_jan _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Dynamic Preprocessor- packets from established flows Alex Adamos (Jan 29)
- Re: Dynamic Preprocessor- packets from established flows Todd Wease (Jan 30)
- Re: Dynamic Preprocessor- packets from established flows Alex Adamos (Jan 31)
- Re: Dynamic Preprocessor- packets from established flows Todd Wease (Jan 31)
- Re: Dynamic Preprocessor- packets from established flows Alex Adamos (Jan 31)
- Re: Dynamic Preprocessor- packets from established flows Alex Adamos (Jan 31)
- Re: Dynamic Preprocessor- packets from established flows Todd Wease (Jan 30)