Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Help Developing Snort "Hello World" Dynamic Preprocessor

From: Russ Combs <rcombs () sourcefire com>
Date: Mon, 16 Aug 2010 10:33:51 -0400
Hi Fuat,

Rolling your own dynamic preprocessor is not as easy as it could be.  I'm
putting a blog post together to remedy that.

In the mean time, here are some pointers:

* ensure the dpp is compiled with exactly same options as snort
* ensure visibility is correct to get InitializePreprocessor() and
LibVersion() exported
* use DebugMessage() instead of _dpd.debugMsg() so file and line are set
correctly
* use the SNORT_DEBUG environment variable to get helpful output

And be sure to add the preprocessor config to your snort.conf!

Russ

On Sat, Jul 31, 2010 at 2:35 AM, Fuat Yosanto <
mbahe_suro () students ittelkom ac id> wrote:


Hi all,

Actually I have a problem when creating my own dynamic-preprocessor.
(See my previous email with subject : Linking custom dynamic-preprocessor)
Seems like my dynamic-preprocessor hasn't been executed by Snort (loaded
successfully but didn't work).
I can't figure out what's wrong with it. May be something is missing.
I have tried modifying Snort dynamic-preprocessor example to do same
process with my dynamic-preprocessor.
It works, but I can't satisfy my needs, because of its directory
position, and naming problem.

So to understand what are the minimum requirements to build
dynamic-preprocessor,
I am looking for a basic example code like "hello world" Snort
dynamic-preprocessor.

Here, I have created the prototype of "hello world" Snort
dynamic-preprocessor.
The idea is simple, it will log message when it finds any kind of packet.
Additionally it can identify TCP, UDP, and ICMP packet.

Assume that we have done any setup things to integrate this
dynamic-preprocessor in Snort sources
such as editing generators.h, preprocids.h, Makefile.am, re-running
autotools, etc.

These are the sources :
Directory : src/dynamic-preprocessor/hello

========================
File name : spp_hello.c
========================
#include "preprocids.h"
#include "sf_snort_packet.h"
#include "sf_dynamic_preprocessor.h"
#include "sf_dynamic_preproc_lib.h"
#include "sf_snort_plugin_api.h"
#include "sfPolicy.h"
#include "sfPolicyUserData.h"

#define GENERATOR_SPP_HELLO                    230

extern DynamicPreprocessorData _dpd;

static void HelloInit(char *);
static void HelloProcess(void *, void *);

void HelloSetup()
{
   _dpd.registerPreproc("hello", HelloInit);
}

static void HelloInit(char *args)
{
   _dpd.addPreproc(HelloProcess, PRIORITY_TRANSPORT, PP_HELLO,
PROTO_BIT__TCP | PROTO_BIT__UDP | PROTO_BIT__ICMP);
}

static void HelloProcess(void *pkt, void *context)
{
   SFSnortPacket *p = (SFSnortPacket *)pkt;
   if(IsTCP(p))
   {
           _dpd.logMsg("Hello : Got TCP packet!\n");
   }
   else if(IsUDP(p))
   {
       _dpd.logMsg("Hello : Got UDP packet!\n");
   }
   else if(IsICMP(p))
   {
       _dpd.logMsg("Hello : Got ICMP packet!\n");
   }
   else
   {
       _dpd.logMsg("Hello : Got unknown packet!\n");
   }
}

===============================
File name : sf_preproc_info.h :
===============================
#ifndef SF_PREPROC_INFO_H_
#define SF_PREPROC_INFO_H_

#define MAJOR_VERSION   1
#define MINOR_VERSION   0
#define BUILD_VERSION   1
#define PREPROC_NAME    "HelloWorld_Preprocessor"

#define DYNAMIC_PREPROC_SETUP   HelloSetup
extern void HelloSetup();

#endif

So here I need a help to fix & improve them, beacuse those are still not
working.
There should be something missing, something wrong, or something
unnecessary.


------------------------------------------------------------------------------
The Palm PDK Hot Apps Program offers developers who use the
Plug-In Development Kit to bring their C/C++ apps to Palm for a share
of $1 Million in cash or HP Products. Visit us here for more details:
http://p.sf.net/sfu/dev2dev-palm
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel


------------------------------------------------------------------------------
This SF.net email is sponsored by 

Make an app they can't live without
Enter the BlackBerry Developer Challenge
http://p.sf.net/sfu/RIM-dev2dev 
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Previous By Date Next
Previous By Thread Next

Current thread: