Snort mailing list archives
Re: Multiple IPS action plugin problem
From: "Russ Combs \(rucombs\) via Snort-devel" <snort-devel () lists snort org>
Date: Mon, 7 Sep 2020 22:39:57 +0000
Hi, A rule has exactly one action. Did you configure a rule for each of your action types? If those rules are set to alert, do they alert? Russ ________________________________________ From: Snort-devel <snort-devel-bounces () lists snort org> on behalf of Özkan KIRIK via Snort-devel <snort-devel () lists snort org> Sent: Sunday, September 6, 2020 11:31 PM To: snort-devel () lists snort org Subject: [Snort-devel] Multiple IPS action plugin problem Hello, I developed 3 example ips_action plugin using snort3_extra repository. (ie modifypacket_1, modifypacket_2 , modifypacket_3). In /usr/local/etc/snort/plugins folder; - When single .so file exists, plugin works perfectly. - When all of 3 .so files exists, only last registered one triggered for both modifypacket_1, modifypacket_2, modifypacket_3 rules. # snort --plugin-path /usr/local/etc/snort/plugins --list-plugins | grep ips_action ips_action::modifypacket_1 v0 /usr/local/etc/snort/plugins/act_modifypacket_1.so ips_action::modifypacket_2 v0 /usr/local/etc/snort/plugins/act_modifypacket_2.so ips_action::modifypacket_3 v0 /usr/local/etc/snort/plugins/act_modifypacket_3.so ips_action::react v0 static ips_action::reject v0 static ips_action::rewrite v0 static For debugging, I put log messages to mod_ctor and action_ctor functions. In logs, All of 3 mod_ctor and action_ctor functions are called. But only last registered .so file's Action::exec(Packet* p) method is called for all the modifypacket_1, modifypacket_2, modifypacket_3 actions. There is no common method and class names (except snort_plugins[] variable) across all .so files. I couldn't find there the bug is and how the other actions related to 1 Action::exec method. Can you help to resolve this problem. Regards _______________________________________________ Snort-devel mailing list Snort-devel () lists snort org https://lists.snort.org/mailman/listinfo/snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Multiple IPS action plugin problem Özkan KIRIK via Snort-devel (Sep 06)
- Re: Multiple IPS action plugin problem Russ Combs (rucombs) via Snort-devel (Sep 07)
- Re: Multiple IPS action plugin problem Özkan KIRIK via Snort-devel (Sep 07)
- Re: Multiple IPS action plugin problem Tso-jie Ng (Sep 10)
- Re: Multiple IPS action plugin problem Özkan KIRIK via Snort-devel (Sep 07)
- Re: Multiple IPS action plugin problem Russ Combs (rucombs) via Snort-devel (Sep 07)