snort-devel July 2008 archive
Main Archive Page > Month Archives  > snort-devel archives
snort-devel: Re: [Snort-devel] Question about DAQ in snort 3.0

Re: [Snort-devel] Question about DAQ in snort 3.0

From: Russ Combs <rcombs_at_nospam>
Date: Tue Jul 08 2008 - 12:35:22 GMT
To: Jun Xiao <xiaojuntime@gmail.com>


Jun,

I'm not sure what you mean. analyze() is of course executed in the thread of its caller. The functions in dispatcher.c, where ANALYZER_ACTION is (almost entirely) handled, are executed in either the DAQ thread or the analyzer threads.

Are you reading the code or debugging it? I suggest running it in a debugger to see what is happening. You might try modifying the dummy analyzer to return different ANALYZER_ACTION values to see what happens in each case.

If you find a problem, let me know.

Russ

On Tue, 2008-07-08 at 13:20 +0800, Jun Xiao wrote:
> Russ,
>
> Thanks for the info.
> But I don't think analyze() can really return the ANALYZER_ACTION
> result, in actually, it is executed in a different thread than the
> caller.
>
> Thanks,
> Jun
>
> 2008/7/7 Russ Combs <rcombs@sourcefire.com>:
> > Jun,
> >
> > The analyze() function in the analyzer_module_t returns back one of the
> > ANALYZER_ACTION values. See analyzer_api.h for details.
> >
> > >From the RELEASE.NOTES: The ipq DAQ has not been compiled or tested.
> > If you have any fixes, please send them. :)
> >
> > pcap_process_loop() must copy the packet data because in SnortSP the
> > packet lifetime is always longer than the callback in which it was
> > acquired. (This differs from Snort except for reassembly in which case
> > a copy is also required.) To avoid the copy, the pcap library would
> > have to provide a function that wrote the packet data into a caller
> > supplied buffer.
> >
> > Russ
> >
> > On Mon, 2008-07-07 at 16:41 +0800, Jun Xiao wrote:
> >> I think the mechanism is that the engine will invoke the callback
> >> function finish_packet() to tell data source module to take the
> >> corresponding action. Is that correct?
> >> There is also another question, why need we do a packet copy in dap_pcap.c
> >> pcap_process_loop() {
> >> ...
> >> memcpy(p, data, pkth->caplen);
> >> ...
> >> }
> >> Can we reuse data pointer to reduce the packet copy?
> >>
> >> Thanks,
> >> Jun
> >>
> >> 2008/7/4 Xiao Jun <xiaojuntime@gmail.com>:
> >> > Hi All,
> >> >
> >> > I am wondering the snort 3.0 beta + iptables (IPS mode) workable or not,
> >> > that means how did the engine return back the detection result (for
> >> > example, drop or reject) back to data source?
> >> >
> >> > BTW, at line 147 of daq_ipq.c, "dd.resolution" should be used to
> >> > return the detection result, but I even can not find out the
> >> > definition for resolution.
> >> >
> >> > Thanks,
> >> > Jun
> >> >
> >>
> >> -------------------------------------------------------------------------
> >> Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW!
> >> Studies have shown that voting for your favorite open source project,
> >> along with a healthy diet, reduces your potential for chronic lameness
> >> and boredom. Vote Now at http://www.sourceforge.net/community/cca08
> >> _______________________________________________
> >> Snort-devel mailing list
> >> Snort-devel@lists.sourceforge.net
> >> https://lists.sourceforge.net/lists/listinfo/snort-devel
> >
> >



Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW! Studies have shown that voting for your favorite open source project, along with a healthy diet, reduces your potential for chronic lameness and boredom. Vote Now at http://www.sourceforge.net/community/cca08

Snort-devel mailing list
Snort-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-devel