Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Dynamic Preprocessor- packets from established flows

From: Alex Adamos <alexthakidadam () hotmail com>
Date: Thu, 31 Jan 2013 21:28:00 +0200




Date: Thu, 31 Jan 2013 14:22:55 -0500
Subject: Re: [Snort-users] Dynamic Preprocessor- packets from established flows
From: twease () sourcefire com
To: alexthakidadam () hotmail com
CC: snort-users () lists sourceforge net

On Thu, Jan 31, 2013 at 2:04 PM, Alex Adamos <alexthakidadam () hotmail com> wrote:




Date: Wed, 30 Jan 2013 09:33:35 -0500
Subject: Re: [Snort-users] Dynamic Preprocessor- packets from established
flows
From: twease () sourcefire com
To: alexthakidadam () hotmail com
CC: snort-users () lists sourceforge net




Hi Alex,

On Tue, Jan 29, 2013 at 3:01 PM, Alex Adamos <alexthakidadam () hotmail com>
wrote:

Hi,

i managed to get my own preprocessor running (using DPX starter kit). I
would like to know when a packet gets called by my preprocessor, whether
it's from an established flow or not. Can anyone help me how to do this?


Your preprocessor will be called in src/detect.c:Preprocess(). It
will get called for any TCP/UDP packet with application data, raw off
the wire, IP frag reassembled (via frag3) or TCP reassembled (via
stream5).


In my case, i want to keep track of the tcp flows and keep state of the past
connections-flows, so when the preproc gets called, i "save" the
srcIP,dstIP,srcPort,dstPort for every tcp packet. I dont want to process any
reassembled packets so i did something like this:
  "  if(p->tcp_header){
        if (p->pseudo_packet){
             return;}
        else
             GetIPandPorts();
    return; }"
However, my preproc functions returns at the (p->pseudo_packet) every time.
What is the right way to process only the raw tcp packets (not the
reassembled ones)?


Instead of "p->pseudo_packet" (did you mean p->pseudo_type?), you
could try something like:


yes, my fault, i intended writing pseudo_type..

if (p->flags & FLAG_REBUILT_STREAM)
   return;
This isn't referring to the whole stream?thanks, i'll try that!  

ps.sorry for my bad english..






Also, i have a counter to the packets being processed by my DPX, and i
see a
significant difference with the other preprocessors. It's like my DPX
doesn't get called for every packet.
I add my preprocessor like this :

_dpd.addPreproc(DPX_Process,
PRIORITY_LAST,PP_DPX,PROTO_BIT__TCP|PROTO_BIT__UDP);


This looks correct, however you've given it PRIORITY_LAST which means
most of the other preprocessors are going to run before yours and
there are some that will disable other preprocessors if they decided
to do inspection which may be why your preprocessor isn't being called
as often as you would think. For example if http_inspect evaluates a
packet, it's likely HTTP, and the other application layer
preprocessors don't need to look at it. If you want your preprocessor
to run regardless, you could give it a higher priority, specifically
higher than PRIORITY_APPLICATION, or look for DisableDetect(),
disableDetect(), DisableAllDetect() and disableAllDetect() in the code
- you'll likely see that when these are called, some other
preprocessors are re-enabled and you could add a similar line for your
preprocessor.



thanks, changed it to PRIORITY_TRANSPORT and realised the difference!


thanks,
Alex.

                                          
------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_jan
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: