snort-devel February 2014 archive
Main Archive Page > Month Archives  > snort-devel archives
snort-devel: Re: [Snort-devel] [Snort-Devel] SNORT Detection-Plu

Re: [Snort-devel] [Snort-Devel] SNORT Detection-Plugin just call once

From: Emiliano Fausto <emiliano.fausto_at_nospam>
Date: Thu Feb 13 2014 - 12:38:05 GMT
To: John Eure <john.eure@gmail.com>

Hello John,

thanks a lot for you quick answer. You are totally right about the way my
static Detection Plugin should be called.

Then as you guessed, the problem is that MyDetectionPlugin_
MyRuleOption_Init() isn't called at all.

I'll start researching in that line, again... Thanks for your help!

Emiliano.

2014-02-12 18:56 GMT-03:00 John Eure <john.eure@gmail.com>:

> I've only done this a few times before, but it sounds like you might be
> setting something up incorrectly? My static detection plugin setup code
> looks something like this (please pardon the incredibly simplified
> pseudocode):
>
> // called once, during setup
> MyDetectionPlugin_Setup()
> {
> RegisterRuleOption("my_option_name",
> MyDetectionPlugin_MyRuleOption_Init());
> }
>
> // called once per rule that uses "my_option_name", during setup
> MyDetectionPlugin_MyRuleOption_Init()
> {
> OptFpList * fpl =
> AddOptFuncToList(MyDetectionPlugin_MyRuleOption_Detect());
> }
>
> // called a lot, at most once per packet per rule, during detection
> MyDetectionPlugin_MyRuleOption_Detect()
> {
> return DETECTION_OPTION_MATCH;
> }
>
> If you're not seeing multiple calls to your equivalent of
> "MyDetectionPlugin_MyRuleOption_Init()", then that's probably the place to
> start investigating.
>
> If that's not the cause, then I'm guessing you're doing something wrong
> when assigning values to the state associated with the rules. You need to
> be setting up the OptTreeNode and OptFuncList correctly, including setting
> otn->ds_list[plugin_type] to something associated with your rule. But
> that's way more complicated than I feel comfortable explaining, so my
> suggestion would be to pick a few simple detection plugins, and follow
> their logic?
>
> Good luck,
> John
>
>
>
> On Wed, Feb 12, 2014 at 12:26 PM, Emiliano Fausto <
> emiliano.fausto@gmail.com> wrote:
>
>> Hello there,
>>
>> I'm debugging with gdb a detection plugin I've developed, and there's
>> something I am not fully understanding.
>>
>> I have this function (which should be called every time a packet matches
>> one of my rules which invokes a keyword named "MyDP"):
>>
>> ...
>> typedef struct _MyDPData
>> {
>> u_int16_t num;
>> }
>> MyDPData;
>> ...
>>
>> int MyDPCheck(void *context, Packet *p)
>> {
>>
>> LogMessage("My processing function was called\n");
>>
>> MyDPData* mydata;
>>
>> if (!p->tcph)
>> return DETECTION_OPTION_NOT_MATCH;
>>
>> mydata = (MyDPData *) context;
>>
>> if (mydata->num == 90) {
>> LogMessage("it matched\n");
>> return DETECTION_OPTION_MATCH;
>> }
>>
>> return DETECTION_OPTION_NOT_MATCH;
>> }
>>
>> I'm facing 2 problems here:
>>
>> 1) When I'm debugging with GDB it seems that this function is being
>> called just once. The moment it's called, is when the SNORT is parsing all
>> the snort.conf file, and detects there's a keyword into a rule which
>> matches: "MyDP". Then it doesn't matter how much packets validate the rest
>> of the rule, it doesn't seems to be called (because the breakpoint over the
>> function MyDPCheck isn't triggered any more).
>>
>> Note: It's strange, because my /var/log/snort/alert file is full of
>> alerts referring to this alert being triggered, although I don't see the
>> "it matched" message.
>>
>> My question is, shouldn't it be logging the message: "It matched?" each
>> time it matches a packet calling this rule with the num==90?
>>
>> Snort.Conf rule -> alert tcp any any -> any any (MyDP: 90; msg: "My DP
>> was called"; sid: 5016666; rev:1;)
>>
>> 2) I realized that it doesn't matter the number I put into the rule (in
>> the previous example I just put 90), the Detection Plugin always returns
>> "True" --> DETECTION_OPTION_MATCH.
>> So, it doesn't make any sense to me, as it's a really simply comparison
>> between the number stored option value and the hard-coded value 90.
>>
>> In this case, I'm almost sure that the alert should NOT be triggered if I
>> put numbers different than 90 in the keyword value, right?
>>
>> Thanks in advance to anyone which could give me some light on this matter!
>> Emiliano.
>>
>>
>>
>> ------------------------------------------------------------------------------
>> Android apps run on BlackBerry 10
>> Introducing the new BlackBerry 10.2.1 Runtime for Android apps.
>> Now with support for Jelly Bean, Bluetooth, Mapview and more.
>> Get your Android app in front of a whole new audience. Start now.
>>
>> http://pubads.g.doubleclick.net/gampad/clk?id=124407151&iu=/4140/ostg.clktrk
>> _______________________________________________
>> Snort-devel mailing list
>> Snort-devel@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/snort-devel
>> Archive:
>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel
>>
>> Please visit http://blog.snort.org for the latest news about Snort!
>>
>
>

------------------------------------------------------------------------------
Android apps run on BlackBerry 10
Introducing the new BlackBerry 10.2.1 Runtime for Android apps.
Now with support for Jelly Bean, Bluetooth, Mapview and more.
Get your Android app in front of a whole new audience. Start now.
http://pubads.g.doubleclick.net/gampad/clk?id=124407151&iu=/4140/ostg.clktrk

_______________________________________________
Snort-devel mailing list
Snort-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!