Snort mailing list archives
Re: Writing Preprocessor For Snort
From: Russ Combs <rcombs () sourcefire com>
Date: Fri, 8 Nov 2013 14:51:32 -0500
Are you running build.sh and test.sh from the directory in which they are located, like ./build.sh ? On Fri, Nov 8, 2013 at 1:08 PM, Amtul Saboor <saboor.amtul () gmail com> wrote:
Thanks alot everbody. Specially Russ and Alex!! the dpx 1.6 version worked for me. However, i fixed the two following issues myself, explaining for others' future guidance: Somehow, the files build.sh and test.sh are not understanding the correct snort path, and that error (no rule to make file) was arriving due to path problem . I manually enter the path in both cases (replaced $Snort with /root/snort/ ) and the problem was half solved. I faced another error in build.sh , i had to comment the second if condition in build.sh to make the program run error free. otherwise i was facing this error " ERROR: you must echo SNORT=/path/to/snort/dir > setup.sh first" Altough I was doing that already. And to be sure if my output is correct , i am copying it , please let me know if this the thing i should be having: /test.sh ./setup.sh: line 1: /root/snort: is a directory Running in IDS mode --== Initializing Snort ==-- Initializing Output Plugins! Initializing Preprocessors! Initializing Plug-ins! Parsing Rules file "test/snort.conf" Tagged Packet Limit: 256 Loading all dynamic preprocessor libs from lib/snort_dynamicpreprocessor... Loading dynamic preprocessor library lib/snort_dynamicpreprocessor/libdpx.so... done Finished Loading all dynamic preprocessor libs from lib/snort_dynamicpreprocessor Log directory = /var/log/snort +++++++++++++++++++++++++++++++++++++++++++++++++++ Initializing rule chains... 4 Snort rules read 4 detection rules 0 decoder rules 0 preprocessor rules 2 Option Chains linked into 2 Chain Headers 0 Dynamic rules +++++++++++++++++++++++++++++++++++++++++++++++++++ +-------------------[Rule Port Counts]--------------------------------------- | tcp udp icmp ip | src 0 0 0 0 | dst 0 0 0 0 | any 4 0 0 0 | nc 4 0 0 0 | s+d 0 0 0 0 +---------------------------------------------------------------------------- +-----------------------[detection-filter-config]------------------------------ | memory-cap : 1048576 bytes +-----------------------[detection-filter-rules]------------------------------- | none ------------------------------------------------------------------------------- +-----------------------[rate-filter-config]----------------------------------- | memory-cap : 1048576 bytes +-----------------------[rate-filter-rules]------------------------------------ | none ------------------------------------------------------------------------------- +-----------------------[event-filter-config]---------------------------------- | memory-cap : 1048576 bytes +-----------------------[event-filter-global]---------------------------------- +-----------------------[event-filter-local]----------------------------------- | none +-----------------------[suppression]------------------------------------------ | none ------------------------------------------------------------------------------- Rule application order: activation->dynamic->pass->drop->sdrop->reject->alert->log Verifying Preprocessor Configurations! [ Port Based Pattern Matching Memory ] pcap DAQ configured to read-file. The DAQ version does not support reload. Acquiring network traffic from "test/test.pcap". Reload thread starting... Reload thread started, thread 0xb69a3b70 (9802) --== Initialization Complete ==-- ,,_ -*> Snort! <*- o" )~ Version 2.9.5.5 GRE (Build 205) '''' By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team Copyright (C) 1998-2013 Sourcefire, Inc., et al. Using libpcap version 1.0.0 Using PCRE version: 7.8 2008-09-05 Using ZLIB version: 1.2.3.3 Preprocessor Object: dpx Version 1.6 <Build 1> Commencing packet processing (pid=9801) 3 256 2 0 4 256 2 0 5 256 1 0 =============================================================================== Run time for packet processing was 0.1496 seconds Snort processed 6 packets. Snort ran for 0 days 0 hours 0 minutes 0 seconds Pkts/sec: 6 =============================================================================== Packet I/O Totals: Received: 6 Analyzed: 6 (100.000%) Dropped: 0 ( 0.000%) Filtered: 0 ( 0.000%) Outstanding: 0 ( 0.000%) Injected: 0 =============================================================================== Breakdown by protocol (includes rebuilt packets): Eth: 6 (100.000%) VLAN: 0 ( 0.000%) IP4: 6 (100.000%) Frag: 0 ( 0.000%) ICMP: 0 ( 0.000%) UDP: 0 ( 0.000%) TCP: 6 (100.000%) IP6: 0 ( 0.000%) IP6 Ext: 0 ( 0.000%) IP6 Opts: 0 ( 0.000%) Frag6: 0 ( 0.000%) ICMP6: 0 ( 0.000%) UDP6: 0 ( 0.000%) TCP6: 0 ( 0.000%) Teredo: 0 ( 0.000%) ICMP-IP: 0 ( 0.000%) IP4/IP4: 0 ( 0.000%) IP4/IP6: 0 ( 0.000%) IP6/IP4: 0 ( 0.000%) IP6/IP6: 0 ( 0.000%) GRE: 0 ( 0.000%) GRE Eth: 0 ( 0.000%) GRE VLAN: 0 ( 0.000%) GRE IP4: 0 ( 0.000%) GRE IP6: 0 ( 0.000%) GRE IP6 Ext: 0 ( 0.000%) GRE PPTP: 0 ( 0.000%) GRE ARP: 0 ( 0.000%) GRE IPX: 0 ( 0.000%) GRE Loop: 0 ( 0.000%) MPLS: 0 ( 0.000%) ARP: 0 ( 0.000%) IPX: 0 ( 0.000%) Eth Loop: 0 ( 0.000%) Eth Disc: 0 ( 0.000%) IP4 Disc: 0 ( 0.000%) IP6 Disc: 0 ( 0.000%) TCP Disc: 0 ( 0.000%) UDP Disc: 0 ( 0.000%) ICMP Disc: 0 ( 0.000%) All Discard: 0 ( 0.000%) Other: 0 ( 0.000%) Bad Chk Sum: 0 ( 0.000%) Bad TTL: 0 ( 0.000%) S5 G 1: 0 ( 0.000%) S5 G 2: 0 ( 0.000%) Total: 6 =============================================================================== Action Stats: Alerts: 3 ( 50.000%) Logged: 3 ( 50.000%) Passed: 0 ( 0.000%) Limits: Match: 0 Queue: 0 Log: 0 Event: 0 Alert: 0 Verdicts: Allow: 6 (100.000%) Block: 0 ( 0.000%) Replace: 0 ( 0.000%) Whitelist: 0 ( 0.000%) Blacklist: 0 ( 0.000%) Ignore: 0 ( 0.000%) =============================================================================== Snort exiting On Fri, Nov 8, 2013 at 4:15 AM, Russ Combs <rcombs () sourcefire com> wrote:The DPX source was out of date with Snort's source. Try the attached. You shouldn't need to edit build.sh. On Thu, Nov 7, 2013 at 3:06 PM, Amtul Saboor <saboor.amtul () gmail com>wrote:Ok this problem is solved. I changed the path manually in build.sh , now it gives a huge number of errors in dpx.c file These are as follows: make[1]: Entering directory `/usr/src/dpx-1.5/test' rm -rf .libs _libs rm -f *.lo make[1]: Leaving directory `/usr/src/dpx-1.5/test' Making clean in src make[1]: Entering directory `/usr/src/dpx-1.5/src' test -z "libdpx.la" || rm -f libdpx.la rm -f "./so_locations" rm -rf .libs _libs rm -f sf_dynamic_preproc_lib.c sfPolicyUserData.c rm -f *.o rm -f *.lo make[1]: Leaving directory `/usr/src/dpx-1.5/src' Making clean in . make[1]: Entering directory `/usr/src/dpx-1.5' rm -rf .libs _libs rm -f *.lo make[1]: Leaving directory `/usr/src/dpx-1.5' make all-recursive make[1]: Entering directory `/usr/src/dpx-1.5' Making all in src make[2]: Entering directory `/usr/src/dpx-1.5/src' cp /root/snort/src/dynamic-examples/include/sf_dynamic_preproc_lib.c sf_dynamic_preproc_lib.c cp /root/snort/src/dynamic-examples/include/sfPolicyUserData.c sfPolicyUserData.c make all-am make[3]: Entering directory `/usr/src/dpx-1.5/src' /bin/sh ../libtool --tag=CC --mode=compile gcc -DHAVE_CONFIG_H -I. -I.. -I/root/snort/src/dynamic-examples/include -g -O2 -DSF_VISIBILITY -fvisibility=hidden -fno-strict-aliasing -Wall -DZLIB -DGRE -DMPLS -DPPM_MGR -DNDEBUG -DENABLE_REACT -DENABLE_RESPOND -DENABLE_RESPONSE3 -DSF_WCHAR -DTARGET_BASED -DPERF_PROFILING -DSNORT_RELOAD -DNO_NON_ETHER_DECODER -DNORMALIZER -DACTIVE_RESPONSE -fvisibility=hidden -c -o dpx.lo dpx.c libtool: compile: gcc -DHAVE_CONFIG_H -I. -I.. -I/root/snort/src/dynamic-examples/include -g -O2 -DSF_VISIBILITY -fvisibility=hidden -fno-strict-aliasing -Wall -DZLIB -DGRE -DMPLS -DPPM_MGR -DNDEBUG -DENABLE_REACT -DENABLE_RESPOND -DENABLE_RESPONSE3 -DSF_WCHAR -DTARGET_BASED -DPERF_PROFILING -DSNORT_RELOAD -DNO_NON_ETHER_DECODER -DNORMALIZER -DACTIVE_RESPONSE -fvisibility=hidden -c dpx.c -fPIC -DPIC -o .libs/dpx.o dpx.c: In function 'DPX_New': dpx.c:151: error: too few arguments to function '_dpd.getParserPolicy' dpx.c: In function 'DPX_Delete': dpx.c:180: warning: passing argument 1 of 'sfPolicyUserDataIterate' from incompatible pointer type /root/snort/src/dynamic-examples/include/sfPolicyUserData.h:137: note: expected 'struct _SnortConfig *' but argument is of type 'tSfPolicyUserContextId' dpx.c:180: warning: passing argument 2 of 'sfPolicyUserDataIterate' from incompatible pointer type /root/snort/src/dynamic-examples/include/sfPolicyUserData.h:137: note: expected 'tSfPolicyUserContextId' but argument is of type 'int (*)(struct tSfPolicyUserContext *, tSfPolicyId, void *)' dpx.c:180: error: too few arguments to function 'sfPolicyUserDataIterate' dpx.c: In function 'DPX_Setup': dpx.c:196: warning: passing argument 2 of '_dpd.registerPreproc' from incompatible pointer type dpx.c:196: note: expected 'PreprocessorInitFunc' but argument is of type 'void (*)(char *)' dpx.c:196: warning: passing argument 3 of '_dpd.registerPreproc' from incompatible pointer type dpx.c:196: note: expected 'PreprocessorReloadFunc' but argument is of type 'void (*)(char *)' dpx.c:196: warning: passing argument 4 of '_dpd.registerPreproc' from incompatible pointer type dpx.c:196: note: expected 'PreprocessorReloadVerifyFunc' but argument is of type 'void * (*)(void)' dpx.c:196: warning: passing argument 5 of '_dpd.registerPreproc' from incompatible pointer type dpx.c:196: note: expected 'PreprocessorReloadSwapFunc' but argument is of type 'void (*)(void *)' dpx.c:196: error: too few arguments to function '_dpd.registerPreproc' dpx.c: In function 'DPX_Init': dpx.c:208: warning: passing argument 1 of '_dpd.addPreproc' from incompatible pointer type dpx.c:208: note: expected 'struct _SnortConfig *' but argument is of type 'void (*)(void *, void *)' dpx.c:208: warning: passing argument 2 of '_dpd.addPreproc' makes pointer from integer without a cast dpx.c:208: note: expected 'void (*)(void *, void *)' but argument is of type 'int' dpx.c:208: error: too few arguments to function '_dpd.addPreproc' make[3]: *** [dpx.lo] Error 1 make[3]: Leaving directory `/usr/src/dpx-1.5/src' make[2]: *** [all] Error 2 make[2]: Leaving directory `/usr/src/dpx-1.5/src' make[1]: *** [all-recursive] Error 1 make[1]: Leaving directory `/usr/src/dpx-1.5' make: *** [all] Error 2 Making install in src make[1]: Entering directory `/usr/src/dpx-1.5/src' make install-am make[2]: Entering directory `/usr/src/dpx-1.5/src' /bin/sh ../libtool --tag=CC --mode=compile gcc -DHAVE_CONFIG_H -I. -I.. -I/root/snort/src/dynamic-examples/include -g -O2 -DSF_VISIBILITY -fvisibility=hidden -fno-strict-aliasing -Wall -DZLIB -DGRE -DMPLS -DPPM_MGR -DNDEBUG -DENABLE_REACT -DENABLE_RESPOND -DENABLE_RESPONSE3 -DSF_WCHAR -DTARGET_BASED -DPERF_PROFILING -DSNORT_RELOAD -DNO_NON_ETHER_DECODER -DNORMALIZER -DACTIVE_RESPONSE -fvisibility=hidden -c -o dpx.lo dpx.c libtool: compile: gcc -DHAVE_CONFIG_H -I. -I.. -I/root/snort/src/dynamic-examples/include -g -O2 -DSF_VISIBILITY -fvisibility=hidden -fno-strict-aliasing -Wall -DZLIB -DGRE -DMPLS -DPPM_MGR -DNDEBUG -DENABLE_REACT -DENABLE_RESPOND -DENABLE_RESPONSE3 -DSF_WCHAR -DTARGET_BASED -DPERF_PROFILING -DSNORT_RELOAD -DNO_NON_ETHER_DECODER -DNORMALIZER -DACTIVE_RESPONSE -fvisibility=hidden -c dpx.c -fPIC -DPIC -o .libs/dpx.o dpx.c: In function 'DPX_New': dpx.c:151: error: too few arguments to function '_dpd.getParserPolicy' dpx.c: In function 'DPX_Delete': dpx.c:180: warning: passing argument 1 of 'sfPolicyUserDataIterate' from incompatible pointer type /root/snort/src/dynamic-examples/include/sfPolicyUserData.h:137: note: expected 'struct _SnortConfig *' but argument is of type 'tSfPolicyUserContextId' dpx.c:180: warning: passing argument 2 of 'sfPolicyUserDataIterate' from incompatible pointer type /root/snort/src/dynamic-examples/include/sfPolicyUserData.h:137: note: expected 'tSfPolicyUserContextId' but argument is of type 'int (*)(struct tSfPolicyUserContext *, tSfPolicyId, void *)' dpx.c:180: error: too few arguments to function 'sfPolicyUserDataIterate' dpx.c: In function 'DPX_Setup': dpx.c:196: warning: passing argument 2 of '_dpd.registerPreproc' from incompatible pointer type dpx.c:196: note: expected 'PreprocessorInitFunc' but argument is of type 'void (*)(char *)' dpx.c:196: warning: passing argument 3 of '_dpd.registerPreproc' from incompatible pointer type dpx.c:196: note: expected 'PreprocessorReloadFunc' but argument is of type 'void (*)(char *)' dpx.c:196: warning: passing argument 4 of '_dpd.registerPreproc' from incompatible pointer type dpx.c:196: note: expected 'PreprocessorReloadVerifyFunc' but argument is of type 'void * (*)(void)' dpx.c:196: warning: passing argument 5 of '_dpd.registerPreproc' from incompatible pointer type dpx.c:196: note: expected 'PreprocessorReloadSwapFunc' but argument is of type 'void (*)(void *)' dpx.c:196: error: too few arguments to function '_dpd.registerPreproc' dpx.c: In function 'DPX_Init': dpx.c:208: warning: passing argument 1 of '_dpd.addPreproc' from incompatible pointer type dpx.c:208: note: expected 'struct _SnortConfig *' but argument is of type 'void (*)(void *, void *)' dpx.c:208: warning: passing argument 2 of '_dpd.addPreproc' makes pointer from integer without a cast dpx.c:208: note: expected 'void (*)(void *, void *)' but argument is of type 'int' dpx.c:208: error: too few arguments to function '_dpd.addPreproc' make[2]: *** [dpx.lo] Error 1 make[2]: Leaving directory `/usr/src/dpx-1.5/src' make[1]: *** [install] Error 2 I dont think so many errors should be encountered. Or if they do, what to do now :) Thanks alot for all the help. Regards On Thu, Nov 7, 2013 at 11:48 PM, Amtul Saboor <saboor.amtul () gmail com>wrote:yes i know, i mentioned the path :) just wrote /path/to/snort for explaining here On Thu, Nov 7, 2013 at 10:46 AM, Russ Combs <rcombs () sourcefire com>wrote:"path/to/snort/" should be replaced with your actual path to the Snort source tree. On Thu, Nov 7, 2013 at 1:43 PM, Amtul Saboor <saboor.amtul () gmail com>wrote:Thanks Russ, yes src/ is showing up . And i have followed the steps mentioned by Alex. *Not complicated at all. But still unable to succeed.* When i open setup.sh this line is written inside" SNORT : path/to/snort/" Regards On Thu, Nov 7, 2013 at 10:23 AM, Russ Combs <rcombs () sourcefire com>wrote:You are building with dpx ... did you configure setup.sh correctly? If you ls $SNORT configure.in and src/ should show up among others. On Thu, Nov 7, 2013 at 12:48 PM, Amtul Saboor < saboor.amtul () gmail com> wrote:Yes I have configured with --enable-build-dynamic-examples and also , since I am using version 2.9.5.5, the file #include "sf_types.h" is already there before #include "snort_debug.h" in dpx.c file. But the error persists. On Thu, Nov 7, 2013 at 9:41 AM, Russ Combs <rcombs () sourcefire com>wrote:Did you configure with --enable-build-dynamic-examples ? On Wed, Nov 6, 2013 at 12:34 PM, Amtul Saboor < saboor.amtul () gmail com> wrote:Hello I am Information Security student and I am working on Snort. Want to make my own dynamic preprocessor. I am facing the following error. make[2]: *** No rule to make target `/usr/local/snort/src/dynamic-examples/include/sf_dynamic_preproc_lib.c', needed by `sf_dynamic_preproc_lib.c'. Stop. That error has been addressed in this link : http://seclists.org/snort/2013/q1/161 *But I unable to understand it.* Please explain what the person meant by the following sentence (i emailed him but he is not responding): " Well, changed the directory in build.sh to the one containing the required .c files----fixed the previous erro. Then a libtool error occured, searched and found an answer by Russ---fixed..." That will be a great help. If you knw what more I should be doing for correct installation please guide me about it. I am quite worried about it. Regards On Sat, Nov 2, 2013 at 2:13 PM, Amtul Saboor < saboor.amtul () gmail com> wrote:*Hello* *I am a computer sciences student and new to Snort. I am trying to create a preprocessor for snort with following guidelines: http://sourceforge.net/apps/mediawiki/snort-ai/index.php?title=Snort_Preprocessors_Kickstart <http://sourceforge.net/apps/mediawiki/snort-ai/index.php?title=Snort_Preprocessors_Kickstart> * *But the code gives following errors:* *Unable to find "plugbase.h" No such file or directory* *Unable to find "decode.h" No such file or directory * *One more thing, in which IDE should I compile the code? in linux, is it okey to compile the code using GCC command? Is it compatible with Snort? Sorry for my questions but i need to ask them anyways. * *Has anyone tried this before? Let me know. Any help will be appreciated.Thanks n regards*-- *Amtul Saboor* *Business Development Executive * *Professionals Agency* *www.p-itsol.com <http://www.p-itsol.com> * ------------------------------------------------------------------------------ November Webinars for C, C++, Fortran Developers Accelerate application performance with scalable programming models. Explore techniques for threading, error checking, porting, and tuning. Get the most from the latest Intel processors and coprocessors. See abstracts and register http://pubads.g.doubleclick.net/gampad/clk?id=60136231&iu=/4140/ostg.clktrk _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel Please visit http://blog.snort.org for the latest news about Snort!-- *Amtul Saboor* *Business Development Executive * *Professionals Agency* *www.p-itsol.com <http://www.p-itsol.com> *-- *Amtul Saboor* *Business Development Executive * *Professionals Agency* *www.p-itsol.com <http://www.p-itsol.com> *-- *Amtul Saboor* *Business Development Executive * *Professionals Agency* *www.p-itsol.com <http://www.p-itsol.com> *-- *Amtul Saboor* *Business Development Executive * *Professionals Agency* *www.p-itsol.com <http://www.p-itsol.com> *-- *Amtul Saboor* *Business Development Executive * *Professionals Agency* *www.p-itsol.com <http://www.p-itsol.com> *
------------------------------------------------------------------------------ November Webinars for C, C++, Fortran Developers Accelerate application performance with scalable programming models. Explore techniques for threading, error checking, porting, and tuning. Get the most from the latest Intel processors and coprocessors. See abstracts and register http://pubads.g.doubleclick.net/gampad/clk?id=60136231&iu=/4140/ostg.clktrk
_______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Writing Preprocessor For Snort Amtul Saboor (Nov 02)
- Re: Writing Preprocessor For Snort Joel Esler (Nov 03)
- Re: Writing Preprocessor For Snort Mayur Patil (Nov 03)
- Re: Writing Preprocessor For Snort Amtul Saboor (Nov 06)
- Re: Writing Preprocessor For Snort Russ Combs (Nov 07)
- Message not available
- Message not available
- Message not available
- Message not available
- Message not available
- Message not available
- Message not available
- Message not available
- Re: Writing Preprocessor For Snort Russ Combs (Nov 08)
- Re: Writing Preprocessor For Snort Amtul Saboor (Nov 08)
- Re: Writing Preprocessor For Snort Russ Combs (Nov 07)