Snort mailing list archives
How to set the priority of new preprocessor written for layer 2 traffic in SNORT2?
From: Awais Ali via Snort-devel <snort-devel () lists snort org>
Date: Fri, 19 Jun 2020 23:17:16 +0200
Hello all, I have written a decoder for layer 2 and have written a preprocessor on top of it to generate some required alerts. Its working perfectly as expected but it gives following assertion failed message on TCP/UDP stream (stream6 preprocessor) traffic: *snort: snort_stream_tcp.c:3407: StreamUpdatePerfBaseState: Assertion `sf_base->iSessionsInitializing' failed.Aborted (core dumped) * It should not give this error as i am not disturbing any other source code above layer 3 but adding new functionality at layer 2. My understanding is, it is because of the priority we set for different preprocessors through following function(in this case arp's function) in preprocessors: *AddFuncToPreprocList(sc, DetectARPattacks, PRIORITY_NETWORK, PP_ARPSPOOF, PROTO_BIT__ARP);* I set the same priority ( PRIORITY_NETWORK) for my preprocessor as well but when i play TCP/UDP traffic it gives me stream6 assertion error given above. As I change priority it gives different output, so my question is what should be the priority of new preprocessors working on a newly written decoder for layer 2 protocol? Or is there any other reason for such kind of assertion failed message?
_______________________________________________ Snort-devel mailing list Snort-devel () lists snort org https://lists.snort.org/mailman/listinfo/snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- How to set the priority of new preprocessor written for layer 2 traffic in SNORT2? Awais Ali via Snort-devel (Jun 19)