[Snort-Devel] SNORT Detection-Plugin just call once

[Emiliano Fausto <emiliano.fausto () gmail com>]

Hello there,

I'm debugging with gdb a detection plugin I've developed, and there's
something I am not fully understanding.

I have this function (which should be called every time a packet matches
one of my rules which invokes a keyword named "MyDP"):

...
typedef struct _MyDPData
{
    u_int16_t   num;
}
MyDPData;
...

int MyDPCheck(void *context, Packet *p)
{

  LogMessage("My processing function was called\n");

  MyDPData* mydata;

  if (!p->tcph)
      return DETECTION_OPTION_NOT_MATCH;

  mydata = (MyDPData *) context;

  if (mydata->num == 90) {
      LogMessage("it matched\n");
      return DETECTION_OPTION_MATCH;
  }

  return DETECTION_OPTION_NOT_MATCH;
}

I'm facing 2 problems here:

1) When I'm debugging with GDB it seems that this function is being called
just once. The moment it's called, is when the SNORT is parsing all the
snort.conf file, and detects there's a keyword into a rule which matches:
"MyDP". Then it doesn't matter how much packets validate the rest of the
rule, it doesn't seems to be called (because the breakpoint over the
function MyDPCheck isn't triggered any more).

Note: It's strange, because my /var/log/snort/alert file is full of alerts
referring to this alert being triggered, although I don't see the "it
matched" message.

My question is, shouldn't it be logging the message: "It matched?" each
time it matches a packet calling this rule with the num==90?

Snort.Conf rule -> alert tcp any any -> any any (MyDP: 90; msg: "My DP was
called"; sid: 5016666; rev:1;)

2) I realized that it doesn't matter the number I put into the rule (in the
previous example I just put 90), the Detection Plugin always returns "True"
--> DETECTION_OPTION_MATCH.
So, it doesn't make any sense to me, as it's a really simply comparison
between the number stored option value and the hard-coded value 90.

In this case, I'm almost sure that the alert should NOT be triggered if I
put numbers different than 90 in the keyword value, right?

Thanks in advance to anyone which could give me some light on this matter!
Emiliano.

------------------------------------------------------------------------------
Android apps run on BlackBerry 10
Introducing the new BlackBerry 10.2.1 Runtime for Android apps.
Now with support for Jelly Bean, Bluetooth, Mapview and more.
Get your Android app in front of a whole new audience.  Start now.
http://pubads.g.doubleclick.net/gampad/clk?id=124407151&iu=/4140/ostg.clktrk

_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!