Re: Cannot get alert from dynamic_example preprocessor in output

[Андрей Меньков <nothingelsematters7 () gmail com>]

Great, it helped. Thank you very much, Victor.
I have another little question about how could I get to know about
preprocessor rules?
Could you please point me to documentation place about them?

I have used this tutorial for building my preprocessor
http://www.sans.org/reading_room/whitepapers/tools/developing-snort-dynamic-preprocessor_32874
.
There is nothing in it about preprocessor rules. They use dynamic_example
from Snort sources too. May be the cause is that this tutorial is out-dated?


On 20 February 2013 00:16, Victor Roemer <vroemer () sourcefire com> wrote:

> I don't see where you actually enabled a preprocessor rule in your
> configuration..
>
> Should look something like this...
>
> alert (msg:"Just lookn at dem source ports!"; sid:1; gid:256; rev:1;
> metadata:rule-type preproc;)
>
>
> Altering msg to your liking..
>
> On Tue, Feb 19, 2013 at 3:09 PM, Андрей Меньков <
> nothingelsematters7 () gmail com> wrote:
>
> > I have installed latest snort version from site sources. I have Linux
> > Mint 14 Nadia as my OS.
> > I need to write a dynamic processor, so I use dynamic_example
> > preprocessor that is in tarball with Snort.
> > It's the code https://gist.github.com/AndreiMenkou/4989418
> >
> > I have a problem with outputting alerts and I don't know how to solve it.
> > My dynamic preprocessor is loaded when snort is run. And ExampleProcess
> > function that is used to process Snort packets is called.
> > The problem actually is in alertAdd function call:
> >
> > _dpd.alertAdd(GENERATOR_EXAMPLE, SRC_PORT_MATCH, 1, 0, 3, SRC_PORT_MATCH_STR, 0);
> >
> >
> >
> > I'm sure that it's called but no alerts are generated
> > I have added output to file (using FILE* of <stdio.h>) before call to alertAdd function - and it works.
> >
> > So the problem is actually with alertAdd itself
> >
> > I thought that this problem will be solved after configuring output modules, but this didn't helped.
> >
> > I have added my custom rule in local.rules and alerts are generated and wroten to expected file. But for 
> > _dpd.alertAdd there is nothing :-(
> >
> >
> >
> >
> > How can I solve this problem? Any help would be appreciated
> >
> > My conf file for output modules look like :
> >
> > # unified2
> > # Recommended for most installs
> > output unified2: filename merged.log, limit 128, nostamp, mpls_event_types, vlan_event_types
> >
> > # Additional configuration for specific types of installs
> > output alert_unified2: filename snort.alert, limit 128, nostamp
> > output log_unified2: filename snort.log, limit 128, nostamp
> >
> > # syslog
> > output alert_syslog: LOG_AUTH LOG_ALERT
> >
> > #alert fast
> > output alert_fast: alert.fast
> >
> > # pcap
> > # output log_tcpdump: tcpdump.log
> >
> > # metadata reference data.  do not modify these lines
> > include classification.config
> > include reference.config
> >
> >
> >
> > Full snort.conf file : https://gist.github.com/AndreiMenkou/4989412
> >
> >
> >
> >
> > Config for dynamic_example preprocessor:
> >
> >
> >
> > preprocessor dynamic_example: port 80
> >
> >
> >
> > Snort is running using command :
> > sudo snort -i wlan0 -c Projects/snort/etc/snort.conf -l ./log/
> >
> >
> >
> > ------------------------------------------------------------------------------
> > Everyone hates slow websites. So do we.
> > Make your web apps faster with AppDynamics
> > Download AppDynamics Lite for free today:
> > http://p.sf.net/sfu/appdyn_d2d_feb
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users () lists sourceforge net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> >
> > Please visit http://blog.snort.org to stay current on all the latest
> > Snort news!
------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_feb

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!