Snort mailing list archives

Re: [snort-devel] Chainning pre-processors

From: Hui Cao <hcao () sourcefire com>
Date: Wed, 04 Dec 2013 15:39:12 -0500

Frag3 will deal with IP fragmentation. You might want reassembled datafrom TCP. This means your preprocessor should be after stream and youshould check(SFSnortPacket*)ipacketp)->flags & FLAG_REBUILT_STREAM. Snort will onlyreassemble up to the flush point defined (typically 16K). You can'texpect snort will give all the data from one reassembled packet.

Fragmentation from wireshark might mean TCP segmentation. You might getfull IP packets.


Best,
Hui.
On 12/04/2013 03:17 PM, Emiliano Fausto wrote:

Hui,

yes, I understood what you told me about filtering just thede-fragmented packets, that's why I added these 3 lines:


SFSnortPacket *p = (SFSnortPacket *)pkt;
int fla = (p->flags & FLAG_REBUILT_FRAG);
_dpd.logMsg("Flags set? %d",fla);

But I generate fragmented packets (which for instance Wiresharkdetects and show as fragmented and the possibility of reassembly them)and I'm always getting with each one the output: "Flags set? 0".


I receive all the fragmented packets, but not the last one reassembled.

Regards,
Emiliano.


2013/12/4 Hui Cao <hcao () sourcefire com <mailto:hcao () sourcefire com>>

    It will still get all packets including the raw packets. You need to
    use packet flags to filter them.

    Best,
    Hui.

    On Wed, Dec 4, 2013 at 3:00 PM, Emiliano Fausto
    <emiliano.fausto () gmail com <mailto:emiliano.fausto () gmail com>> wrote:
    > Yes,
    >
    > that's what I thought, but for some reason the TCP packets keep
    on coming
    > fragmented to my preprocessor.
    >
    > No I took off all the preprocessors and just let the frag3 and
    mines, I'll
    > try to figure out if they are called in the correct order, but
    they are not
    > being chained.
    >
    > Thanks,
    > Emiliano.
    >
    >
    > 2013/12/4 Hui Cao <hcao () sourcefire com <mailto:hcao () sourcefire com>>
    >>
    >> It looks good to me.
    >>
    >> Best,
    >> Hui.
    >>
    >> On Wed, Dec 4, 2013 at 2:44 PM, Emiliano Fausto
    >> <emiliano.fausto () gmail com <mailto:emiliano.fausto () gmail com>>
    wrote:
    >> > Hi Hui,
    >> >
    >> > I've seen that I was using PRIORITY_TRANSPORT, which is lower
    than the
    >> > PRIORITY_NETWORK that uses frag3.
    >> >
    >> > Anyway, I put the priority: PRIORITY_LAST to my own
    preprocessor, but
    >> > when
    >> > the TCP packets keep arriving fragmented to my preprocessor.
    >> >
    >> > Is there anything else I should take into account?
    >> >
    >> > Thanks in advance,
    >> > Emiliano.
    >> >
    >> >
    >> > 2013/12/4 Hui Cao <hcao () sourcefire com
    <mailto:hcao () sourcefire com>>
    >> >>
    >> >> In sr/preprocids.h
    >> >>
    >> >> Best,
    >> >> Hui.
    >> >>
    >> >> On 12/04/2013 02:36 PM, Emiliano Fausto wrote:
    >> >>
    >> >> Great,
    >> >>
    >> >> so, the pre-processors are "chained" by default, and the
    order that
    >> >> SNORT
    >> >> follows to call them is set by the PRIORITY variable.
    >> >>
    >> >> Do you know where's defined this PRIORITY variable? Because
    I saw that
    >> >> the
    >> >> frag3 is being registered with PRIORITY_NETWORK, so I'd like
    to set the
    >> >> priority of my own preprocessor as (PRIORITY_NETWORK -1).
    >> >>
    >> >> Thanks in advance,
    >> >> Emiliano
    >> >>
    >> >>
    >> >> 2013/12/4 Hui Cao <hcao () sourcefire com
    <mailto:hcao () sourcefire com>>
    >> >>>
    >> >>> sc means snort configuration. We use PRIORITY to sort the
    processing.
    >> >>> All
    >> >>> processors enabled will be called and processed based on
    priority. You
    >> >>> have
    >> >>> to rely on the code to figure out what exactly snort does.
    >> >>>
    >> >>> The checking is correct. You will only process rebuilt packets.
    >> >>>
    >> >>> Best,
    >> >>> Hui.
    >> >>> On 12/04/2013 02:19 PM, Emiliano Fausto wrote:
    >> >>>
    >> >>> Hello Hui,
    >> >>>
    >> >>> thanks a lot for your answer.
    >> >>>
    >> >>> Right now I have registered my preprocessor (let's call it
    >> >>> examplePreprocess as you said, because right now I'm using
    the one
    >> >>> provided
    >> >>> with the DPX) with this line:
    >> >>>
    >> >>> _dpd.addPreproc(ExampleProcess, PRIORITY_TRANSPORT, 10000,
    >> >>> PROTO_BIT__TCP);
    >> >>>
    >> >>> So, the only change is to add previous to the parameter
    >> >>> ExampleProcess,
    >> >>> the "sc". What does it mean? Do you know if there's any
    documentation
    >> >>> about
    >> >>> this chaining preprocesses?
    >> >>>
    >> >>> So, checking the flags, should be:
    >> >>>
    >> >>> (SFSnortPacket*)tcppacket)->flags & FLAG_REBUILT_FRAG
    >> >>>
    >> >>> right?
    >> >>>
    >> >>> Thanks again!
    >> >>> Emiliano.
    >> >>>
    >> >>>
    >> >>>
    >> >>> Then, I'll have to register my own preprocessor where?
    >> >>>
    >> >>>
    >> >>> 2013/12/4 Hui Cao <hcao () sourcefire com
    <mailto:hcao () sourcefire com>>
    >> >>>>
    >> >>>> Yes, it is possible. You can register you preprocessor
    like this:
    >> >>>>
    >> >>>> _dpd.addPreproc( sc, ExampleProcess, PRIORITY_TRANSPORT,
    You_PP_ID,
    >> >>>> PROTO_BIT__IP );
    >> >>>>
    >> >>>> Remember check the following flag in your ExampleProcess:
    >> >>>>
    >> >>>> (SFSnortPacket*)ipacketp)->flags & FLAG_REBUILT_FRAG
    >> >>>>
    >> >>>> Best,
    >> >>>> Hui.
    >> >>>>
    >> >>>>
    >> >>>> On 12/04/2013 12:52 PM, Emiliano Fausto wrote:
    >> >>>>
    >> >>>> Hi everybody,
    >> >>>>
    >> >>>> I'm creating a new preprocessor which needs to have the
    whole content
    >> >>>> in
    >> >>>> a packet which was fragmented.
    >> >>>>
    >> >>>> So I thought of using the frag3 preprocessor to
    re-assembly the
    >> >>>> packets,
    >> >>>> and then, when this reassembly is done, sent it to my own
    >> >>>> preprocessor.
    >> >>>>
    >> >>>> Do you know if this is possible? May I have the output of
    frag3 being
    >> >>>> the input of my own preprocessor?
    >> >>>>
    >> >>>> Regards,
    >> >>>> Emiliano.
    >> >>>>
    >> >>>>
    >> >>>>
    >> >>>>
    >> >>>>
    ------------------------------------------------------------------------------
    >> >>>> Sponsored by Intel(R) XDK
    >> >>>> Develop, test and display web and hybrid apps with a
    single code
    >> >>>> base.
    >> >>>> Download it for free now!
    >> >>>>
    >> >>>>
    >> >>>>
    http://pubads.g.doubleclick.net/gampad/clk?id=111408631&iu=/4140/ostg.clktrk
    >> >>>>
    >> >>>>
    >> >>>>
    >> >>>> _______________________________________________
    >> >>>> Snort-devel mailing list
    >> >>>> Snort-devel () lists sourceforge net
    <mailto:Snort-devel () lists sourceforge net>
    >> >>>> https://lists.sourceforge.net/lists/listinfo/snort-devel
    >> >>>> Archive:
    >> >>>>
    http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel
    >> >>>>
    >> >>>> Please visit http://blog.snort.org for the latest news
    about Snort!
    >> >>>>
    >> >>>>
    >> >>>>
    >> >>>>
    >> >>>>
    >> >>>>
    ------------------------------------------------------------------------------
    >> >>>> Sponsored by Intel(R) XDK
    >> >>>> Develop, test and display web and hybrid apps with a
    single code
    >> >>>> base.
    >> >>>> Download it for free now!
    >> >>>>
    >> >>>>
    >> >>>>
    http://pubads.g.doubleclick.net/gampad/clk?id=111408631&iu=/4140/ostg.clktrk
    >> >>>> _______________________________________________
    >> >>>> Snort-devel mailing list
    >> >>>> Snort-devel () lists sourceforge net
    <mailto:Snort-devel () lists sourceforge net>
    >> >>>> https://lists.sourceforge.net/lists/listinfo/snort-devel
    >> >>>> Archive:
    >> >>>>
    http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel
    >> >>>>
    >> >>>> Please visit http://blog.snort.org for the latest news
    about Snort!
    >> >>>
    >> >>>
    >> >>>
    >> >>
    >> >>
    >> >
    >
    >

------------------------------------------------------------------------------
Sponsored by Intel(R) XDK 
Develop, test and display web and hybrid apps with a single code base.
Download it for free now!
http://pubads.g.doubleclick.net/gampad/clk?id=111408631&iu=/4140/ostg.clktrk

_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!

Current thread:

Re: [snort-devel] Chainning pre-processors, (continued)
- Re: [snort-devel] Chainning pre-processors Hui Cao (Dec 04)
  - Re: [snort-devel] Chainning pre-processors Emiliano Fausto (Dec 04)
    - Re: [snort-devel] Chainning pre-processors Hui Cao (Dec 04)
    - Re: [snort-devel] Chainning pre-processors Emiliano Fausto (Dec 04)
    - Re: [snort-devel] Chainning pre-processors Hui Cao (Dec 04)
    - Re: [snort-devel] Chainning pre-processors Emiliano Fausto (Dec 04)
    - Re: [snort-devel] Chainning pre-processors Hui Cao (Dec 04)
    - Re: [snort-devel] Chainning pre-processors Emiliano Fausto (Dec 04)
    - Re: [snort-devel] Chainning pre-processors Hui Cao (Dec 04)
    - Re: [snort-devel] Chainning pre-processors Emiliano Fausto (Dec 04)
    - Re: [snort-devel] Chainning pre-processors Hui Cao (Dec 04)
    - Re: [snort-devel] Chainning pre-processors Emiliano Fausto (Dec 05)
    - Re: [snort-devel] Chainning pre-processors Hui Cao (Dec 05)
    - Re: [snort-devel] Chainning pre-processors Emiliano Fausto (Dec 05)
    - Re: [snort-devel] Chainning pre-processors Hui Cao (Dec 05)
    - Message not available
    - Message not available
    - Message not available
    - Re: [snort-devel] Chainning pre-processors Emiliano Fausto (Dec 05)