Re: [snort-devel] Creating a new variable into a preprocessor and using it in the rules engine

[Emiliano Fausto <emiliano.fausto () gmail com>]

Hi all,

after doing some more research on this, I think that although it could be a
different way of facing this requirement I have, there could be a way
developing a "Detection Plugin".

Does anyone know if from my own detection plugin, I could call the
"content" or "pcre" one?

For instance, I create the detection plugin called: "givesTheUser", which
will create these 2 variables into SNORT memory structure (user_surname and
user_name).

But inside my plugin, I'd like to use the keywords pcre or content, without
"re-coding" them, is it possible? have anyone done something similar before?

Thanks in advance!
Emiliano.


2014/1/10 Emiliano Fausto <emiliano.fausto () gmail com>

> hi there,
>
> just in case. I know that I would be able to create a Detection-plugin,
> like the tcpurg example. But the problem is that, I'd rather use the snort
> detection engine to have the string, hex and prcre full searching features.
>
> It would be really hard to me, to start from the scratch doing those
> functionality. Instead, I'll like to take advantage of them and use them as
> the http_header does for example.
>
> Regards!
> Emiliano.
>
>
> 2014/1/10 Emiliano Fausto <emiliano.fausto () gmail com>
>
> > Hi all!
> >
> > I'm developing a preprocessor which takes extra information from a
> > packet, and I'd like that this info is sent to the global SNORT structure
> > to be used into the rules engine.
> >
> > Let's suppose I have a packet with this information:
> >
> > |header| payload| --> Into the Payload, I have the info: Name="John",
> > Surname="Doe".
> >
> > And I create two variables in the preprocessor called:
> >
> > user_name= payload-->Name
> > user_surname= payload-->Surname
> >
> > So, I'd like to know if someone has worked with global variables so that
> > I can create a new rule in SNORT which would be something like:
> >
> > alert udp $EXTERNAL_NET any -> 192.168.0.10 9090 ( user_name; content:
> > "John"; nocase; user_surname; content: "Doe"; nocase; msg: "John Does has
> > logged in to the system"; sid: 12345678; rev: 1; )
> >
> > Thanks in advance,
> > Emiliano.
------------------------------------------------------------------------------
CenturyLink Cloud: The Leader in Enterprise Cloud Services.
Learn Why More Businesses Are Choosing CenturyLink Cloud For
Critical Workloads, Development Environments & Everything In Between.
Get a Quote or Start a Free Trial Today. 
http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk

_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!