Snort mailing list archives
Dynamic preprocessors: Detection engine on normalized data only
From: Arun Koshal <akoshal04 () gmail com>
Date: Sat, 21 Feb 2015 13:04:23 +0530
Hi, We are developing a simple snort dynamic preprocessor for a TCP based application. The application traffic includes messages of varying lengths between the client and server. The objective of preprocessor is to have snort doing rule detection on messages rather than on packets. The preprocessor simply identifies the messages boundaries based on the message length in the message header and copies the message in DecodeBuffer.data. We are calling SetAltDecode function with proper message length, followed by the _dpd.detect(). We observe that snort is still working on the packet payload instead of this normalized DecodeBuffer. Is this behavior correct? How can we make snort rule engine to work on normalized payload in DecodeBuffer and ignore the payload in Packet? We are using Snort 2.9.6.2. Please suggest. Thanks, Arun
------------------------------------------------------------------------------ Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server from Actuate! Instantly Supercharge Your Business Reports and Dashboards with Interactivity, Sharing, Native Excel Exports, App Integration & more Get technology previously reserved for billion-dollar corporations, FREE http://pubads.g.doubleclick.net/gampad/clk?id=190641631&iu=/4140/ostg.clktrk
_______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Dynamic preprocessors: Detection engine on normalized data only Arun Koshal (Feb 20)
- Re: Dynamic preprocessors: Detection engine on normalized data only Hui Cao (huica) (Feb 22)