Dynamic preprocessors: Detection engine on normalized data only

[Arun Koshal <akoshal04 () gmail com>]

Hi,

We are developing a simple snort dynamic preprocessor for a TCP based
application. The application traffic includes messages of varying lengths
between the client and server. The objective of preprocessor is to have
snort doing rule detection on messages rather than on packets.

The preprocessor simply identifies the messages boundaries based on the
message length in the message header and copies the message in
DecodeBuffer.data. We are calling SetAltDecode function with proper message
length, followed by the _dpd.detect(). We observe that snort is still
working on the packet payload instead of this normalized DecodeBuffer. Is
this behavior correct?

How can we make snort rule engine to work on normalized payload in
DecodeBuffer and ignore the payload in Packet?

We are using Snort 2.9.6.2.

Please suggest.

Thanks,
Arun

------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=190641631&iu=/4140/ostg.clktrk

_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!