Snort mailing list archives

Previous By Date Next
Previous By Thread Next

unified2 extra data - howto

From: Michal Keníž <michalkeniz () gmail com>
Date: Wed, 25 Mar 2015 23:35:01 +0100
Hello,

I am currently developing a snort dynamic preprocessor. I would like* to
log some additional data to the unified2-extra field *as described here
http://manual.snort.org/node44.html#SECTION00637000000000000000 .

I couldn't find any howtos or documentation about this topic, so I tried to
figure it out by inspecting the smtp preprocessor which uses the extra data
field (as can be seen here https://www.snort.org/faq/readme-unified2).

I thought it should be enough if i use the following code:

   - Init function ~


*static void Init(struct _SnortConfig *sc, char *args){*
*//basic init stufff ~ config and registering*

*config->xtra_funkcion_id =
_dpd.streamAPI->reg_xtra_data_cb(CallBackFunctionUnified2);*
*}*

   - CallBackfunction ~

*int CallBackFunctionUnified2(void *data, uint8_t **buf, uint32_t *len,
uint32_t *type)*{

*_dpd.logMsg("Npcusum: JUST TRYING IF THIS FUNCTION IS CALLED WHILE TRAFFIC
PROCESSING \n");*
* return 0;*
}

   - Packet processing ~


*static void ProcessPacket(void *pkt, void *context)*
*// not important stuff.*
*    if ((p->tcp_header->flags & TCPHEADER_FIN) == TCPHEADER_FIN) { // just
packets with FIN flag*
*        config->userdata.fin_count = config->userdata.fin_count + 1;*
* _dpd.logMsg("Npcusum: JUST TRYING TO LOG SOMETHING :\n"); *
* _dpd.streamAPI->set_extra_data(p->stream_session, p,
config->xtra_funkcion_id);*
*    }*
*// not important stuff.*

But this doesn't work, no log message is displayed (so the function is not
called at all).

Would it be possible to give me some info/guidlines about using the
unified2 extra data field in a new dynamic preprocessor - a basic example
(maybe an extension of the snort example preprocessor?), or just a list of
requirements I do have to fullfill for it to work.

Thank you for your time,

best regards Michal

-- 
Carpe Diem

------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the 
conversation now. http://goparallel.sourceforge.net/
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: