Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [snort-devel] Chainning pre-processors

From: Emiliano Fausto <emiliano.fausto () gmail com>
Date: Wed, 4 Dec 2013 17:19:39 -0200
Hello Hui,

thanks a lot for your answer.

Right now I have registered my preprocessor (let's call it
examplePreprocess as you said, because right now I'm using the one provided
with the DPX) with this line:

_dpd.addPreproc(ExampleProcess, PRIORITY_TRANSPORT, 10000, PROTO_BIT__TCP);

So, the only change is to add previous to the parameter ExampleProcess, the
"sc". What does it mean? Do you know if there's any documentation about
this chaining preprocesses?

So, checking the flags, should be:

(SFSnortPacket*)tcppacket)->flags & FLAG_REBUILT_FRAG

right?

Thanks again!
Emiliano.



Then, I'll have to register my own preprocessor where?


2013/12/4 Hui Cao <hcao () sourcefire com>


 Yes, it is possible. You can register you preprocessor like this:

_dpd.addPreproc( sc, ExampleProcess, PRIORITY_TRANSPORT, You_PP_ID,
PROTO_BIT__IP );

Remember check the following flag in your ExampleProcess:

(SFSnortPacket*)ipacketp)->flags & FLAG_REBUILT_FRAG

Best,
Hui.


On 12/04/2013 12:52 PM, Emiliano Fausto wrote:

Hi everybody,

 I'm creating a new preprocessor which needs to have the whole content in
a packet which was fragmented.

 So I thought of using the frag3 preprocessor to re-assembly the packets,
and then, when this reassembly is done, sent it to my own preprocessor.

 Do you know if this is possible? May I have the output of frag3 being
the input of my own preprocessor?

 Regards,
Emiliano.


------------------------------------------------------------------------------
Sponsored by Intel(R) XDK
Develop, test and display web and hybrid apps with a single code base.
Download it for free now!http://pubads.g.doubleclick.net/gampad/clk?id=111408631&iu=/4140/ostg.clktrk



_______________________________________________
Snort-devel mailing listSnort-devel@lists.sourceforge.nethttps://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!




------------------------------------------------------------------------------
Sponsored by Intel(R) XDK
Develop, test and display web and hybrid apps with a single code base.
Download it for free now!

http://pubads.g.doubleclick.net/gampad/clk?id=111408631&iu=/4140/ostg.clktrk
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!


------------------------------------------------------------------------------
Sponsored by Intel(R) XDK 
Develop, test and display web and hybrid apps with a single code base.
Download it for free now!
http://pubads.g.doubleclick.net/gampad/clk?id=111408631&iu=/4140/ostg.clktrk
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: