Re: Snort 3.0: Actions

["Russ Combs (rucombs)" <rucombs () cisco com>]

I thought you were trying to implement your own action.  There is no need to change the code to make reject work.  Use 
this conf:

    require('snort_config')
    reject = { reset = 'both' }
    ips = { rules = 'reject tcp any any -> any 80 ( sid:1; msg:"rej get"; content:"GET"; )' }

And run in inline mode.  If I do this:

    snort -c snort.lua -A alert_test -r ../pcaps/get.pcap --daq dump --daq-var load-mode=read-file -Q

The output is:

...
dump DAQ configured to inline.
Commencing packet processing
++ [0] ../pcaps/get.pcap
4       1       1       0       
-- [0] ../pcaps/get.pcap
--------------------------------------------------
Packet Statistics
--------------------------------------------------
daq
                    pcaps: 1
                 received: 16
                 analyzed: 16
                 injected: 2
                    allow: 3
                    block: 12
                blacklist: 1
...

Be sure to pull the latest from github.  Just pushed an encoder fix you will need for proper output.

________________________________________
From: Sancho Panza [sancho () posteo de]
Sent: Thursday, February 05, 2015 10:53 AM
To: Russ Combs (rucombs)
Cc: snort-devel () lists sourceforge net
Subject: RE: [Snort-devel] Snort 3.0: Actions

Yes sure, this patch is for snort-3.0.0-a1-135-auto.tar.gz

It's only just the changes that I mentioned in my last mail.

I use the following rule for testing:


reject ip any any -> any any ( msg:"test"; sid:200000; )


After applying my patch, you should see how act_reject.cc:exec() is
entered (configure with "--enable-debug --enable-debug-msgs" and run
with SNORT_DEBUG=32).

Regards,

Sancho

Am 05.02.2015 13:08 schrieb Russ Combs (rucombs):
> Sancho,
>
> That's not how these actions work.  Action plugins have a builtin
> action associated with them (alert, drop, etc.).  When you define a
> new action plugin, like reject, you don't modify the source code.
> Just use the given API.
>
> If you send me your source I can help you get it working.
>
> Thanks
> Russ
> ________________________________________
> From: Sancho Panza [sancho () posteo de]
> Sent: Thursday, February 05, 2015 5:34 AM
> To: Russ Combs (rucombs)
> Cc: snort-devel () lists sourceforge net
> Subject: RE: [Snort-devel] Snort 3.0: Actions
>
> Hello!
>
> After I wrote yesterday I had another look at it all and found out a
> few
> more things.
>
> > * Drop doesn't have an action because it is built in.  Externally
>
> I think the reason why the actions/act_reject.cc module doesn't kick in
> is because its rule type is set to RULE_TYPE__DROP in rej_api.
>
>
> > defined actions must be configured to become available to the parser.
> > For the reject rule, you can set reject = { } to get the rule to
> > parse.  It won't work without setting the type of response
> > (reject.reset, etc.) but I just discovered that will fail in the
> > encoder (it *used* to work :).  So don't try that (or react) until we
> > get a fix out.
>
> I tried by defining RULE_TYPE__REJECT in actions/actions.h and setting
> the rule type of rej_api to that newly defined value. I also had to add
> add "reject" to the "static const char* const
> rule_type[RULE_TYPE__MAX]"
> array in actions/actions.cc.
>
> After that, the exec() function from actions/act_reject.cc got called
> for a reject type rule. But I'm not sure whether it's supposed to work
> like that, or am I just improvising...
>
> Regards
>
> Sancho
------------------------------------------------------------------------------
Dive into the World of Parallel Programming. The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net/
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!