Snort mailing list archives

Re: How to set the priority of new preprocessor written for layer 2 traffic in SNORT2?

From: Chamara Devanarayana via Snort-devel <snort-devel () lists snort org>
Date: Tue, 28 Jul 2020 15:19:57 +0000

Hi Ali,
Have a look at my repository.
https://github.com/chamara84/snort-2.9_RTDS/blob/master/snort-2.9.14.1/src/preprocessors/spp_goose.c
Look at the files spp_goose.c and /src/decode.c and /src/decode.h
I wrote it to modify Goose frames. You might be able to match your code with that and fix your problem. I do not get an 
error like yours.

Best regards,
Chamara




From: Snort-devel <snort-devel-bounces () lists snort org> On Behalf Of Awais Ali via Snort-devel
Sent: June 19, 2020 4:17 PM
To: snort-devel () lists snort org
Subject: [Snort-devel] How to set the priority of new preprocessor written for layer 2 traffic in SNORT2?

Hello all,
I have written a decoder for layer 2 and have written a preprocessor on top of it to generate some required alerts. Its 
working perfectly as expected but it gives following assertion failed message on TCP/UDP stream (stream6 preprocessor) 
traffic:

snort: snort_stream_tcp.c:3407: StreamUpdatePerfBaseState: Assertion `sf_base->iSessionsInitializing' failed.
Aborted (core dumped)
It should not give this error as i am not disturbing any other source code above layer 3 but adding new functionality 
at layer 2.
My understanding is, it is because of the priority we set for different preprocessors through following function(in 
this case arp's function) in preprocessors:

AddFuncToPreprocList(sc, DetectARPattacks, PRIORITY_NETWORK, PP_ARPSPOOF, PROTO_BIT__ARP);

I set the same priority ( PRIORITY_NETWORK) for my preprocessor as well but when i play TCP/UDP traffic it gives me 
stream6 assertion error given above. As I change priority it gives different output, so my question is what should be 
the priority of new preprocessors working on a newly written decoder for layer 2 protocol? Or is there any other reason 
for such kind of assertion failed message?

_______________________________________________
Snort-devel mailing list
Snort-devel () lists snort org
https://lists.snort.org/mailman/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!

Current thread:

Re: How to set the priority of new preprocessor written for layer 2 traffic in SNORT2? Chamara Devanarayana via Snort-devel (Jul 28)