Re: Dynamic Preprocessor does not alert and capture packet

[Big Whale <d0lph1n98 () yahoo com>]

I believe there are already dynamic preprocessor template in the Snort's source code, just like dpx's code and i 
believe the problem in my config file. Snort seems like no recognizing the preprocessor generator id or whatever it is. 
Thanks anyway
 


     On Friday, July 10, 2015 9:53 AM, Russ <rucombs () cisco com> wrote:
   

  Do have a Snort question?  If you need general help with development, there are more suitable venues like 
stackoverflow.com.  We really don't have the bandwidth to walk you through your project step by step.  However, if you 
take the time to build and step through the dynamic preprocessor example (https://www.snort.org/documents/dpx-readme), 
you will see an event generated in a much simpler piece of code than ssh.  If dpx gives you trouble, let us know.
 
 Russ
 
 On 7/9/15 9:24 PM, Big Whale wrote:
  
 
   Are you sure? It worked in my machine. Well if it's bothering you, you can just commented out that function as it is 
useless for now.
  
 
 
          On Thursday, July 9, 2015 10:51 PM, Hui cao <huica () cisco com> wrote:
   
 
    Try to run gdb if you have the binary, and set breakpoint at ModSecProcess(), and step through. Here are steps to 
use gdb (http://cs.baylor.edu/~donahoo/tools/gdb/tutorial.html)
 
 FYI...your code won't compile. You have the following function defined inside function ModSecProcess(void *pkt, void 
*context). 
 
 void removeSubstr(char *string, char *sub) {
         char *match = string;
         int len = strlen(sub);
         while((match = strstr(match, sub))) {
             *match = '\0';
             strcat(string, match+len);
             match++;
         }
     }
 
 Best,
 Hui.
  On 07/09/2015 10:41 AM, Big Whale wrote:
  
 
      The preprocessor can be loaded but in ModSecProcess() function, the preprocessor supposed to output the  alert if 
the packet matched port 80. But it does not works, so i thought the problem could be the preprocessor rules. I already 
tried config autogenerate_preprocessor_decoder_rules in snort.conf and define the preprocessor alert generator id in 
the preprocessor_rules. Yet everything does not seems to work like it  supposed to. I am building my preprocessor based 
on SSH preprocessor. Why don't you try compile and run it locally so you can experience what kind of problem it is. 
 
 
       On Thursday, July 9, 2015 8:56 PM, Hui cao <huica () cisco com> wrote:
   
 
    Hi Big Whale,
 
 Can you describe in detail what works and what not? Which decoder rule? Have you seen the rule get triggered in your 
preprocessor? Again, SSH preprocessor has example  how to generate a preprocessor alert.
 
 Best,
 Hui.
 
  On 07/09/2015 12:46 AM, Big Whale wrote:
  
 
      I already add "config autogenerate_preprocessor_decoder_rules"  in my snort.conf file and put the plugin's alerts 
in the preprocessor.rules and  gen-msg.map. But still no alert from my preprocessor. The preprocessor loaded correctly.
   
  
 ------------------------------------------------------------------------------
Don't Limit Your Business. Reach for the Cloud.
GigeNET's Cloud Solutions provide you with the tools and support that
you need to offload your IT needs and focus on growing your business.
Configured For All Businesses. Start Your Cloud Today.
https://www.gigenetcloud.com/ 
  
 _______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort! 
    
 ------------------------------------------------------------------------------
 Don't Limit Your Business. Reach for the Cloud.
 GigeNET's Cloud Solutions provide you with the tools and support that
 you need to offload your IT needs and focus on growing your business.
 Configured For All Businesses. Start Your Cloud Today.
 https://www.gigenetcloud.com/ 
 _______________________________________________
 Snort-devel mailing list
 Snort-devel () lists sourceforge net
 https://lists.sourceforge.net/lists/listinfo/snort-devel
 Archive:
 http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel
 
 Please visit http://blog.snort.org for the latest news about Snort! 
 
      
    
 
      
  
 ------------------------------------------------------------------------------
Don't Limit Your Business. Reach for the Cloud.
GigeNET's Cloud Solutions provide you with the tools and support that
you need to offload your IT needs and focus on growing your business.
Configured For All Businesses. Start Your Cloud Today.
https://www.gigenetcloud.com/ 
  
 _______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort! 
 

------------------------------------------------------------------------------
Don't Limit Your Business. Reach for the Cloud.
GigeNET's Cloud Solutions provide you with the tools and support that
you need to offload your IT needs and focus on growing your business.
Configured For All Businesses. Start Your Cloud Today.
https://www.gigenetcloud.com/

_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!