snort-devel July 2008 archive
Main Archive Page > Month Archives  > snort-devel archives
snort-devel: Re: [Snort-devel] Question about DAQ in snort 3.0

Re: [Snort-devel] Question about DAQ in snort 3.0

From: Russ Combs <rcombs_at_nospam>
Date: Mon Jul 07 2008 - 12:49:29 GMT
To: Jun Xiao <xiaojuntime@gmail.com>


Jun,

The analyze() function in the analyzer_module_t returns back one of the ANALYZER_ACTION values. See analyzer_api.h for details.

>From the RELEASE.NOTES: The ipq DAQ has not been compiled or tested.
If you have any fixes, please send them. :)

pcap_process_loop() must copy the packet data because in SnortSP the packet lifetime is always longer than the callback in which it was acquired. (This differs from Snort except for reassembly in which case a copy is also required.) To avoid the copy, the pcap library would have to provide a function that wrote the packet data into a caller supplied buffer.

Russ

On Mon, 2008-07-07 at 16:41 +0800, Jun Xiao wrote:
> I think the mechanism is that the engine will invoke the callback
> function finish_packet() to tell data source module to take the
> corresponding action. Is that correct?
> There is also another question, why need we do a packet copy in dap_pcap.c
> pcap_process_loop() {
> ...
> memcpy(p, data, pkth->caplen);
> ...
> }
> Can we reuse data pointer to reduce the packet copy?
>
> Thanks,
> Jun
>
> 2008/7/4 Xiao Jun <xiaojuntime@gmail.com>:
> > Hi All,
> >
> > I am wondering the snort 3.0 beta + iptables (IPS mode) workable or not,
> > that means how did the engine return back the detection result (for
> > example, drop or reject) back to data source?
> >
> > BTW, at line 147 of daq_ipq.c, "dd.resolution" should be used to
> > return the detection result, but I even can not find out the
> > definition for resolution.
> >
> > Thanks,
> > Jun
> >
>
> -------------------------------------------------------------------------
> Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW!
> Studies have shown that voting for your favorite open source project,
> along with a healthy diet, reduces your potential for chronic lameness
> and boredom. Vote Now at http://www.sourceforge.net/community/cca08
> _______________________________________________
> Snort-devel mailing list
> Snort-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel



Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW! Studies have shown that voting for your favorite open source project, along with a healthy diet, reduces your potential for chronic lameness and boredom. Vote Now at http://www.sourceforge.net/community/cca08

Snort-devel mailing list
Snort-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-devel