Re: Snort 3.0: Actions

["Russ Combs (rucombs)" <rucombs () cisco com>]

Sancho, comments below.

Thanks
Russ
________________________________________
From: Sancho Panza [sancho () posteo de]
Sent: Wednesday, February 04, 2015 12:23 PM
To: snort-devel () lists sourceforge net
Subject: [Snort-devel] Snort 3.0: Actions

I am trying to implement a new action type in snort.
For that, I was looking at the source code to see how other action types
are realised and how this is supposed to work in general.

With the help of some extra debug statements, I found that
ActionManager::execute is entered when my rule strikes, with a test for
( s_action ) - which is set in ActionManager::queue. Alas, I've been
unable get s_action be set.
 From my understanding, this should be set from within
fpdetect.cc:fpLogOther() - but config-wise, how do I achieve that
rtn->listhead->action is set for a given rule?
I tried with writing a rule with action type "reject" which leads to an
invocation of ActionManager::get_action_type() when
parse_conf.cc:get_rule_type() is called, as the previous call to
get_action_type() returns RULE_TYPE__NONE.
But then, why is the action type of "reject": RULE_TYPE__DROP ? The list
head for drop doesnt have the action field set!!!
How is this supposed to work?

* Drop doesn't have an action because it is built in.  Externally defined actions must be configured to become 
available to the parser.  For the reject rule, you can set reject = { } to get the rule to parse.  It won't work 
without setting the type of response (reject.reset, etc.) but I just discovered that will fail in the encoder (it 
*used* to work :).  So don't try that (or react) until we get a fix out.

* In the meantime you can try a rewrite rule (in conjunction with the rule option replace).  Add rewrite = { } to your 
conf and s_action will be called.

Many thanks

Sancho

------------------------------------------------------------------------------
Dive into the World of Parallel Programming. The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net/
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!
------------------------------------------------------------------------------
Dive into the World of Parallel Programming. The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net/
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!