Snort mailing list archives
Re: [snort-devel] Chainning pre-processors
From: Hui Cao <hcao () sourcefire com>
Date: Wed, 04 Dec 2013 14:39:18 -0500
In sr/preprocids.h Best, Hui. On 12/04/2013 02:36 PM, Emiliano Fausto wrote:
Great,so, the pre-processors are "chained" by default, and the order that SNORT follows to call them is set by the PRIORITY variable.Do you know where's defined this PRIORITY variable? Because I saw that the frag3 is being registered with PRIORITY_NETWORK, so I'd like to set the priority of my own preprocessor as (PRIORITY_NETWORK -1).Thanks in advance, Emiliano 2013/12/4 Hui Cao <hcao () sourcefire com <mailto:hcao () sourcefire com>> sc means snort configuration. We use PRIORITY to sort the processing. All processors enabled will be called and processed based on priority. You have to rely on the code to figure out what exactly snort does. The checking is correct. You will only process rebuilt packets. Best, Hui. On 12/04/2013 02:19 PM, Emiliano Fausto wrote:Hello Hui, thanks a lot for your answer. Right now I have registered my preprocessor (let's call it examplePreprocess as you said, because right now I'm using the one provided with the DPX) with this line: _dpd.addPreproc(ExampleProcess, PRIORITY_TRANSPORT, 10000, PROTO_BIT__TCP); So, the only change is to add previous to the parameter ExampleProcess, the "sc". What does it mean? Do you know if there's any documentation about this chaining preprocesses? So, checking the flags, should be: (SFSnortPacket*)tcppacket)->flags & FLAG_REBUILT_FRAG right? Thanks again! Emiliano. Then, I'll have to register my own preprocessor where? 2013/12/4 Hui Cao <hcao () sourcefire com <mailto:hcao () sourcefire com>> Yes, it is possible. You can register you preprocessor like this: _dpd.addPreproc( sc, ExampleProcess, PRIORITY_TRANSPORT, You_PP_ID, PROTO_BIT__IP ); Remember check the following flag in your ExampleProcess: (SFSnortPacket*)ipacketp)->flags & FLAG_REBUILT_FRAG Best, Hui. On 12/04/2013 12:52 PM, Emiliano Fausto wrote:Hi everybody, I'm creating a new preprocessor which needs to have the whole content in a packet which was fragmented. So I thought of using the frag3 preprocessor to re-assembly the packets, and then, when this reassembly is done, sent it to my own preprocessor. Do you know if this is possible? May I have the output of frag3 being the input of my own preprocessor? Regards, Emiliano. ------------------------------------------------------------------------------ Sponsored by Intel(R) XDK Develop, test and display web and hybrid apps with a single code base. Download it for free now! http://pubads.g.doubleclick.net/gampad/clk?id=111408631&iu=/4140/ostg.clktrk _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net <mailto:Snort-devel () lists sourceforge net> https://lists.sourceforge.net/lists/listinfo/snort-devel Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel Please visithttp://blog.snort.org for the latest news about Snort!------------------------------------------------------------------------------ Sponsored by Intel(R) XDK Develop, test and display web and hybrid apps with a single code base. Download it for free now! http://pubads.g.doubleclick.net/gampad/clk?id=111408631&iu=/4140/ostg.clktrk _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net <mailto:Snort-devel () lists sourceforge net> https://lists.sourceforge.net/lists/listinfo/snort-devel Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel Please visit http://blog.snort.org for the latest news about Snort!
------------------------------------------------------------------------------ Sponsored by Intel(R) XDK Develop, test and display web and hybrid apps with a single code base. Download it for free now! http://pubads.g.doubleclick.net/gampad/clk?id=111408631&iu=/4140/ostg.clktrk
_______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- [snort-devel] Chainning pre-processors Emiliano Fausto (Dec 04)
- Re: [snort-devel] Chainning pre-processors Hui Cao (Dec 04)
- Re: [snort-devel] Chainning pre-processors Emiliano Fausto (Dec 04)
- Re: [snort-devel] Chainning pre-processors Hui Cao (Dec 04)
- Re: [snort-devel] Chainning pre-processors Emiliano Fausto (Dec 04)
- Re: [snort-devel] Chainning pre-processors Hui Cao (Dec 04)
- Re: [snort-devel] Chainning pre-processors Emiliano Fausto (Dec 04)
- Re: [snort-devel] Chainning pre-processors Hui Cao (Dec 04)
- Re: [snort-devel] Chainning pre-processors Emiliano Fausto (Dec 04)
- Re: [snort-devel] Chainning pre-processors Hui Cao (Dec 04)
- Re: [snort-devel] Chainning pre-processors Emiliano Fausto (Dec 04)
- Re: [snort-devel] Chainning pre-processors Hui Cao (Dec 04)
- Re: [snort-devel] Chainning pre-processors Emiliano Fausto (Dec 05)
- Re: [snort-devel] Chainning pre-processors Hui Cao (Dec 05)
- Re: [snort-devel] Chainning pre-processors Emiliano Fausto (Dec 05)
- Re: [snort-devel] Chainning pre-processors Hui Cao (Dec 05)
- Re: [snort-devel] Chainning pre-processors Emiliano Fausto (Dec 04)
- Re: [snort-devel] Chainning pre-processors Hui Cao (Dec 04)