mailing list archives
Re: preprocessor drop packets issues
From: "Ed Borgoyn (eborgoyn)" <eborgoyn () cisco com>
Date: Tue, 10 Dec 2013 19:03:47 +0000
Are you sure the Active_DropPacket() is being called? Can you see this via a LogMessage() or perhaps the debugger?
Are you configured to be in INLINE mode? This is necessary to permit Snort to drop packets.
Is all traffic being forwarded and you are not seeing the port==80 packets dropped? Is this your observation?
From: Han Zhang <zhanghan0116 () gmail com<mailto:zhanghan0116 () gmail com>>
Date: Friday, December 6, 2013 8:04 PM
To: "snort-devel () lists sourceforge net<mailto:snort-devel () lists sourceforge net>" <snort-devel () lists
sourceforge net<mailto:snort-devel () lists sourceforge net>>
Subject: [Snort-devel] preprocessor drop packets issues
I'm currently writing a Snort preprocessor, which tries to drop some
packets before it goes to the detection engine and triggers any rules. I tried function Active_DropPacket(); but it
I attached my code here, for test purpose, this code just drop all the HTTP packets. I could see output "Got a
packet", which means this preprocessor was called. But it did not drop any HTTP packet. Was I using a wrong function to
drop the packet? Any comment is appreciate.
static void Detection(Packet *p, void *context)
TestConfig *entropy = NULL;
LogMessage("Got a packet\n");
sfPolicyUserPolicySet (entropy_config, getRuntimePolicy());
entropy = (EntropyConfig *)sfPolicyUserDataGetCurrent(entropy_config);
/* Not configured in this policy */
if (entropy == NULL)
if(p->sp == 80)
Rapidly troubleshoot problems before they affect your business. Most IT
organizations don't have a clear picture of how application performance
affects their revenue. With AppDynamics, you get 100% visibility into your
Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro!
Snort-devel mailing list
Snort-devel () lists sourceforge net
Please visit http://blog.snort.org for the latest news about Snort!