Snort mailing list archives

Re: Dynamic preprocessors: Detection engine on normalized data only

From: "Hui Cao (huica)" <huica () cisco com>
Date: Mon, 23 Feb 2015 00:33:27 +0000

Hi Arun,

The best way to do this is to implement PAF (protocol aware flushing). HTTP, Dce/rpc, and Ftp all have paf supported. 
You can use them as an example (looking for functions like xxx_paf.h/c).

The idea is to check the check in the PAF callback and set the flush point based on the message length.  By 
implementing this, a reassembled packet will be the payload you want.

_dod,detect() will enable rule evaluation, but only rules that are based on Alt decode buffer will use it, all other 
rules will continue inspecting payload.
Best,
Hui.

From: Arun Koshal <akoshal04 () gmail com<mailto:akoshal04 () gmail com>>
Date: Saturday, February 21, 2015 at 2:34 AM
To: "snort-devel () lists sourceforge net<mailto:snort-devel () lists sourceforge net>" <snort-devel () lists 
sourceforge net<mailto:snort-devel () lists sourceforge net>>
Subject: [Snort-devel] Dynamic preprocessors: Detection engine on normalized data only

Hi,

We are developing a simple snort dynamic preprocessor for a TCP based application. The application traffic includes 
messages of varying lengths between the client and server. The objective of preprocessor is to have snort doing rule 
detection on messages rather than on packets.

The preprocessor simply identifies the messages boundaries based on the message length in the message header and copies 
the message in DecodeBuffer.data. We are calling SetAltDecode function with proper message length, followed by the 
_dpd.detect(). We observe that snort is still working on the packet payload instead of this normalized DecodeBuffer. Is 
this behavior correct?

How can we make snort rule engine to work on normalized payload in DecodeBuffer and ignore the payload in Packet?

We are using Snort 2.9.6.2.

Please suggest.

Thanks,
Arun

------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=190641631&iu=/4140/ostg.clktrk

_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!

Current thread:

Dynamic preprocessors: Detection engine on normalized data only Arun Koshal (Feb 20)
- Re: Dynamic preprocessors: Detection engine on normalized data only Hui Cao (huica) (Feb 22)