Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Snort3 Plugin IPS Option: unknown rule keyword

From: Jianyu Li via Snort-users <snort-users () lists snort org>
Date: Mon, 8 Apr 2019 13:09:53 +0000
Hi Russ,


Thank you very much for your reply!


I think I found the problem, I didn't add the BaseApi of ips_pkt_num into the BaseApi in dpx, after adding it worked!

in dpx.cc:
extern const BaseApi* ips_pkt_num;

SO_PUBLIC const BaseApi* snort_plugins[] =
{
    &dpx_api.base,
    ips_pkt_num,
    nullptr
};

I have two files in dpx folder, one is dpx.cc another one is ips_pkt_num2.cc, I was trying to package ips option 
together with inspector.
I provide the snort_plugins symbol in the dpx.cc.

Thanks again for your help!

Li


________________________________
From: Snort-users <snort-users-bounces () lists snort org> on behalf of Russ via Snort-users <snort-users () lists 
snort org>
Sent: 08 April 2019 13:54:46
To: snort-users () lists snort org
Subject: Re: [Snort-users] Snort3 Plugin IPS Option: unknown rule keyword

Your diff below is saying that you deleted snort_plugins.  You must provide that symbol, and it must be a 
null-terminated list of pointers to base API, even if you only have one.

On 4/8/19 8:32 AM, Jianyu Li via Snort-users wrote:

Hi,


I am trying to write an ips option for dpx plugin.

I copied the snort3_extra/src/ips_options/ips_pkt_num/ips_pkt_num.cc into dpx folder and did the following changes:


root@ubuntudesk1:~/snort_src/snort3_extra/src/inspectors/dpx/src# diff ips_pkt_num2.cc 
../../../ips_options/ips_pkt_num/ips_pkt_num.cc
30c30
< static const char* s_name = "pkt_num2";
---

static const char* s_name = "pkt_num";

183c183,187
< const BaseApi* ips_pkt_num = &pkt_num_api.base;
---

SO_PUBLIC const BaseApi* snort_plugins[] =
{
    &pkt_num_api.base,
    nullptr
};


But when I ran the snort it reported error:
root@ubuntudesk1:~# snort --plugin-path /usr/local/lib/ -c /usr/local/etc/snort/snort.lua -R rules.txt -r iec61850.pcap 
-A cmg
ERROR: rules.txt:1 unknown rule keyword: pkt_num2.

There is only one line in rules.txt:
alert tcp any any -> any any (msg:"Test"; pkt_num2:30; sid: 1000;)

The reason why I put ips_pkt_num.cc into dpx is that I wanted to use the structure(stored in flow) defined in dpx 
plugin just like what they did in modbus inspector.

It seems like this ips option wasn't loaded by snort, any idea why this error occur?

Thanks in advance!

Li





_______________________________________________
Snort-users mailing list
Snort-users () lists snort org<mailto:Snort-users () lists snort org>
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

        To unsubscribe, send an email to:
        snort-users-leave () lists snort org<mailto:snort-users-leave () lists snort org>

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette



_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

        To unsubscribe, send an email to:
        snort-users-leave () lists snort org

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
Previous By Date Next
Previous By Thread Next

Current thread: