Snort mailing list archives
Where to put new protocol header object in Packet structure given in decode.h
From: Awais Ali via Snort-devel <snort-devel () lists snort org>
Date: Thu, 18 Jun 2020 20:30:39 +0200
Hello all, I wrote a new decoder function for layer 2 protocol in decode.c file and defined the header of that protocol as structure in decode.h. To use the same Packet as given by snort, i declared the header object in "struct _Packet" at the end of structure like this: typedef struct _Packet { const DAQ_PktHdr_t *pkth; // packet meta data const uint8_t *pkt; // raw packet data //vvv------------------------------------------------ // TODO convenience stuff to be refactored for layers //^^^------------------------------------------------ //vvv----------------------------- EtherARP *ah; const EtherHdr *eh; /* standard TCP/IP/Ethernet/ARP headers */ const VlanTagHdr *vh; EthLlc *ehllc; EthLlcOther *ehllcother; const PPPoEHdr *pppoeh; /* Encapsulated PPP of Ether header */ const GREHdr *greh; uint32_t *mpls; const CiscoMetaHdr *cmdh; /* Cisco Metadata Header */ const IPHdr *iph, *orig_iph;/* and orig. headers for ICMP_*_UNREACH family */ const IPHdr *inner_iph; /* if IP-in-IP, this will be the inner IP header */ const IPHdr *outer_iph; /* if IP-in-IP, this will be the outer IP header */ const TCPHdr *tcph, *orig_tcph; const UDPHdr *udph, *orig_udph; const UDPHdr *inner_udph; /* if Teredo + UDP, this will be the inner UDP header */ const UDPHdr *outer_udph; /* if Teredo + UDP, this will be the outer UDP header */ const ICMPHdr *icmph, *orig_icmph; . . . . uint8_t ps_proto; // Used for portscan and unified2 logging uint8_t ips_os_selected; void *cur_pp; // Expected session created due to this packet. struct _ExpectNode* expectedSession; const GOOSEHdr *gooseh; /* Goose Header*/ ------------------>> This is my new protocol header object } Packet; It works fine and decodes newly added protocol as expected but there is one issue, and that is it disturbs other traffic and gives assertion error like this: snort: snort_stream_tcp.c:3407: StreamUpdatePerfBaseState: Assertion `sf_base->iSessionsInitializing' failed. Aborted (core dumped) when i remove const GOOSEHdr *gooseh; then i don't get this error. My question is where to put this new protocol header object so that i don't get such assertion errors? Can someone explain to me this Packet structure how it's being used and being populated in SNORT2? Sorry for the long email. I hope you people will cooperate in this regard. Thanks, Awais Ali
_______________________________________________ Snort-devel mailing list Snort-devel () lists snort org https://lists.snort.org/mailman/listinfo/snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Where to put new protocol header object in Packet structure given in decode.h Awais Ali via Snort-devel (Jun 18)