Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [Snort-Devel] SNORT Detection-Plugin just call once

From: Emiliano Fausto <emiliano.fausto () gmail com>
Date: Mon, 17 Feb 2014 10:35:44 -0300
Hi John,

thanks a lot for your help. I'll check all those points to make sure my
function is being called properly.

Regards,
Emiliano.


2014-02-15 21:50 GMT-03:00 John Eure <john.eure () gmail com>:


For a static detection plugin, which is what I'm using, I did have to add
a new rule option type in src/rule_option_types.h, and add corresponding
entries in src/detection-plugins/detection_options.c, not only in the
option_type_str array, but also in all 4 switch statements.  In particular,
the switch statement in detection_option_node_evaluate() is where your
MyDetectionPlugin_
MyRuleOption_Detect() will wind up being called from.  So that might be a
good place to stick a debugging breakpoint, if you don't mind it being
called a lot?

I also had to add MyDetectionPlugin_Setup() to src/plugbase.c, and add an
entry to src/plugin_enum.h.  And that's all the changes I needed to make to
the existing source code, aside from adding header includes and editing
makefiles.

John


On Thu, Feb 13, 2014 at 5:45 AM, Emiliano Fausto <
emiliano.fausto () gmail com> wrote:


Hi John,

another question would be, is it mandatory to add into the files
rule_option_types.h and detection_options.c a new variable called:
RULE_OPTION_TYPE_MY_DETECTION?

Because, I've taken as an example the asn1 detection plugin, and that's
the only difference I could notice.

When debugging snort with gdb, and setting up a breakpoint when calling
to function Asn1Detect(), it's called almost for each packet as you told
me. But setting a breakpoint into MyDetectionPlugin_MyRuleOption_Detect()
doesn't work properly as it's not called.

I thought that the necessary thing to link to my detection plugin was to:

1) Register the keyword: RegisterRuleOption("my_option_name",
MyDetectionPlugin_MyRuleOption_Init());

2) Make sure that the linking to my processing function was established:
OptFpList * fpl = AddOptFuncToList(MyDetectionPlugin_MyRuleOption_Detect());

3) Create the function MyDetectionPlugin_MyRuleOption_Detect(); which
will return DETECTION_OPTION_MATCH or DETECTION_OPTION_NOT_MATCH.

Do you have any key on that?

Thanks in advance,
Emiliano.


2014-02-13 9:38 GMT-03:00 Emiliano Fausto <emiliano.fausto () gmail com>:

Hello John,


thanks a lot for you quick answer. You are totally right about the way
my static Detection Plugin should be called.

Then as you guessed, the problem is that MyDetectionPlugin_
MyRuleOption_Init() isn't called at all.

I'll start researching in that line, again... Thanks for your help!

Emiliano.


2014-02-12 18:56 GMT-03:00 John Eure <john.eure () gmail com>:

I've only done this a few times before, but it sounds like you might be

setting something up incorrectly?  My static detection plugin setup code
looks something like this (please pardon the incredibly simplified
pseudocode):

// called once, during setup
MyDetectionPlugin_Setup()
{
RegisterRuleOption("my_option_name",
MyDetectionPlugin_MyRuleOption_Init());
}

// called once per rule that uses "my_option_name", during setup
MyDetectionPlugin_MyRuleOption_Init()
{
OptFpList * fpl =
AddOptFuncToList(MyDetectionPlugin_MyRuleOption_Detect());
}

// called a lot, at most once per packet per rule, during detection
MyDetectionPlugin_MyRuleOption_Detect()
{
return DETECTION_OPTION_MATCH;
}

If you're not seeing multiple calls to your equivalent of
"MyDetectionPlugin_MyRuleOption_Init()", then that's probably the place to
start investigating.

If that's not the cause, then I'm guessing you're doing something wrong
when assigning values to the state associated with the rules.  You need to
be setting up the OptTreeNode and OptFuncList correctly, including setting
otn->ds_list[plugin_type] to something associated with your rule.  But
that's way more complicated than I feel comfortable explaining, so my
suggestion would be to pick a few simple detection plugins, and follow
their logic?

Good luck,
John



 On Wed, Feb 12, 2014 at 12:26 PM, Emiliano Fausto <
emiliano.fausto () gmail com> wrote:


 Hello there,

I'm debugging with gdb a detection plugin I've developed, and there's
something I am not fully understanding.

 I have this function (which should be called every time a packet
matches one of my rules which invokes a keyword named "MyDP"):

...
typedef struct _MyDPData
{
    u_int16_t   num;
}
MyDPData;
...

int MyDPCheck(void *context, Packet *p)
{

  LogMessage("My processing function was called\n");

  MyDPData* mydata;

  if (!p->tcph)
      return DETECTION_OPTION_NOT_MATCH;

  mydata = (MyDPData *) context;

  if (mydata->num == 90) {
      LogMessage("it matched\n");
      return DETECTION_OPTION_MATCH;
  }

  return DETECTION_OPTION_NOT_MATCH;
}

I'm facing 2 problems here:

1) When I'm debugging with GDB it seems that this function is being
called just once. The moment it's called, is when the SNORT is parsing all
the snort.conf file, and detects there's a keyword into a rule which
matches: "MyDP". Then it doesn't matter how much packets validate the rest
of the rule, it doesn't seems to be called (because the breakpoint over the
function MyDPCheck isn't triggered any more).

Note: It's strange, because my /var/log/snort/alert file is full of
alerts referring to this alert being triggered, although I don't see the
"it matched" message.

My question is, shouldn't it be logging the message: "It matched?"
each time it matches a packet calling this rule with the num==90?

Snort.Conf rule -> alert tcp any any -> any any (MyDP: 90; msg: "My DP
was called"; sid: 5016666; rev:1;)

2) I realized that it doesn't matter the number I put into the rule
(in the previous example I just put 90), the Detection Plugin always
returns "True" --> DETECTION_OPTION_MATCH.
So, it doesn't make any sense to me, as it's a really simply
comparison between the number stored option value and the hard-coded value
90.

In this case, I'm almost sure that the alert should NOT be triggered
if I put numbers different than 90 in the keyword value, right?

Thanks in advance to anyone which could give me some light on this
matter!
Emiliano.



------------------------------------------------------------------------------
Android apps run on BlackBerry 10
Introducing the new BlackBerry 10.2.1 Runtime for Android apps.
Now with support for Jelly Bean, Bluetooth, Mapview and more.
Get your Android app in front of a whole new audience.  Start now.

http://pubads.g.doubleclick.net/gampad/clk?id=124407151&iu=/4140/ostg.clktrk
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!











------------------------------------------------------------------------------
Android apps run on BlackBerry 10
Introducing the new BlackBerry 10.2.1 Runtime for Android apps.
Now with support for Jelly Bean, Bluetooth, Mapview and more.
Get your Android app in front of a whole new audience.  Start now.
http://pubads.g.doubleclick.net/gampad/clk?id=124407151&iu=/4140/ostg.clktrk
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: