Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Custom dynamic preprocessor - How to evaluate custom rules against data from custom dissection?

From: Jan Hermes <jan.hermes () hotmail de>
Date: Fri, 4 Nov 2016 10:36:20 +0000
Hello,

I built a dynamic preprocessor for snort and would like to add some custom rules.

Let's create a minimal example just for this question:

    - I want to dissect a protocol consisting of: ("source name", "dest name") with my preprocessor.

    - There should be a rule called "my_preproc" working like this: my_preproc: "evil"->"good"

    - The rule should match the specified source and destination name with the names that are in the package

    - I do not want to inspect the raw package in the eval function passed to registerPreprocOpts but I want the rule 
to use pre dissected values that were written into a custom data structure after parsing (or while parsing) the package

profinet: any -> any, alarm_frame connection(loss)


Is there the possibility to access my defined rules while the main process function of my preprocessor is running?

e.g. like this:

    int InitRule(struct SnortConfig *sc, char *name, char *args, void *data) {

        if (!strcmp("my_preproc", name)) return 0;

        PreprocRuleData *ruleData = calloc...;

        ruleData->srcMatch = getSrcMatch(args);
        ruleData->destMatch = getDestMatch(args);

        ruleData->evalFunc = evalNames;

        data = (void *)ruleData;

        return 1;
    }

    static void Preproc_Process(void *pkt, void *context) {

        CustomProto customProto;

        customProto.srcName = extractSource(pkt);
        customProto.destName = extractDest(pkt);

        PreprocRuleData *ruleData = getRuleData(context);  // is this somehow possible ???

        ruleData->evalFunc(ruleData, customProto); // this also generates an alert if matched

    }


So, all in all the question comes down to: How to I use my own preprocessed data to be tested against custom-defined 
rules?

Thanks,
Jan

------------------------------------------------------------------------------
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today. http://sdm.link/xeonphi
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel

Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: