snort-devel July 2008 archive
Main Archive Page > Month Archives  > snort-devel archives
snort-devel: Re: [Snort-devel] Question about DAQ in snort 3.0

Re: [Snort-devel] Question about DAQ in snort 3.0

From: Jun Xiao <xiaojuntime_at_nospam>
Date: Tue Jul 08 2008 - 05:20:04 GMT
To: "Russ Combs" <rcombs@sourcefire.com>


Russ,

Thanks for the info.
But I don't think analyze() can really return the ANALYZER_ACTION result, in actually, it is executed in a different thread than the caller.

Thanks,
Jun

2008/7/7 Russ Combs <rcombs@sourcefire.com>:
> Jun,
>
> The analyze() function in the analyzer_module_t returns back one of the
> ANALYZER_ACTION values. See analyzer_api.h for details.
>
> >From the RELEASE.NOTES: The ipq DAQ has not been compiled or tested.
> If you have any fixes, please send them. :)
>
> pcap_process_loop() must copy the packet data because in SnortSP the
> packet lifetime is always longer than the callback in which it was
> acquired. (This differs from Snort except for reassembly in which case
> a copy is also required.) To avoid the copy, the pcap library would
> have to provide a function that wrote the packet data into a caller
> supplied buffer.
>
> Russ
>
> On Mon, 2008-07-07 at 16:41 +0800, Jun Xiao wrote:
>> I think the mechanism is that the engine will invoke the callback
>> function finish_packet() to tell data source module to take the
>> corresponding action. Is that correct?
>> There is also another question, why need we do a packet copy in dap_pcap.c
>> pcap_process_loop() {
>> ...
>> memcpy(p, data, pkth->caplen);
>> ...
>> }
>> Can we reuse data pointer to reduce the packet copy?
>>
>> Thanks,
>> Jun
>>
>> 2008/7/4 Xiao Jun <xiaojuntime@gmail.com>:
>> > Hi All,
>> >
>> > I am wondering the snort 3.0 beta + iptables (IPS mode) workable or not,
>> > that means how did the engine return back the detection result (for
>> > example, drop or reject) back to data source?
>> >
>> > BTW, at line 147 of daq_ipq.c, "dd.resolution" should be used to
>> > return the detection result, but I even can not find out the
>> > definition for resolution.
>> >
>> > Thanks,
>> > Jun
>> >
>>
>> -------------------------------------------------------------------------
>> Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW!
>> Studies have shown that voting for your favorite open source project,
>> along with a healthy diet, reduces your potential for chronic lameness
>> and boredom. Vote Now at http://www.sourceforge.net/community/cca08
>> _______________________________________________
>> Snort-devel mailing list
>> Snort-devel@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/snort-devel
>
>



Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW! Studies have shown that voting for your favorite open source project, along with a healthy diet, reduces your potential for chronic lameness and boredom. Vote Now at http://www.sourceforge.net/community/cca08

Snort-devel mailing list
Snort-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-devel