snort-devel July 2008 archive
Main Archive Page > Month Archives  > snort-devel archives
snort-devel: Re: [Snort-devel] Question about DAQ in snort 3.0

Re: [Snort-devel] Question about DAQ in snort 3.0

From: Russ Combs <rcombs_at_nospam>
Date: Tue Jul 08 2008 - 16:44:49 GMT
To: Jun Xiao <xiaojuntime@gmail.com>


Yes, finish_packet() is used to handle some of the ANALYZER_ACTIONs from analyze().

On Tue, 2008-07-08 at 22:44 +0800, Jun Xiao wrote:
> Russ,
>
> In actually, my question is what mechanism is used to notify DAQ the
> detection result of analyzer? you know, we can not return the result
> by the original function call initiated by DAQ since the function is
> already returned before the analyzer do the analysis.
>
> So I am asking if finish_packet is for this purpose.
>
> Thanks,
> Jun
>
>
> 2008/7/8, Russ Combs <rcombs@sourcefire.com>:
> > Jun,
> >
> > I'm not sure what you mean. analyze() is of course executed in the
> > thread of its caller. The functions in dispatcher.c, where
> > ANALYZER_ACTION is (almost entirely) handled, are executed in either the
> > DAQ thread or the analyzer threads.
> >
> > Are you reading the code or debugging it? I suggest running it in a
> > debugger to see what is happening. You might try modifying the dummy
> > analyzer to return different ANALYZER_ACTION values to see what happens
> > in each case.
> >
> > If you find a problem, let me know.
> >
> > Russ
> >
> > On Tue, 2008-07-08 at 13:20 +0800, Jun Xiao wrote:
> > > Russ,
> > >
> > > Thanks for the info.
> > > But I don't think analyze() can really return the ANALYZER_ACTION
> > > result, in actually, it is executed in a different thread than the
> > > caller.
> > >
> > > Thanks,
> > > Jun
> > >
> > > 2008/7/7 Russ Combs <rcombs@sourcefire.com>:
> > > > Jun,
> > > >
> > > > The analyze() function in the analyzer_module_t returns back one of the
> > > > ANALYZER_ACTION values. See analyzer_api.h for details.
> > > >
> > > > >From the RELEASE.NOTES: The ipq DAQ has not been compiled or tested.
> > > > If you have any fixes, please send them. :)
> > > >
> > > > pcap_process_loop() must copy the packet data because in SnortSP the
> > > > packet lifetime is always longer than the callback in which it was
> > > > acquired. (This differs from Snort except for reassembly in which case
> > > > a copy is also required.) To avoid the copy, the pcap library would
> > > > have to provide a function that wrote the packet data into a caller
> > > > supplied buffer.
> > > >
> > > > Russ
> > > >
> > > > On Mon, 2008-07-07 at 16:41 +0800, Jun Xiao wrote:
> > > >> I think the mechanism is that the engine will invoke the callback
> > > >> function finish_packet() to tell data source module to take the
> > > >> corresponding action. Is that correct?
> > > >> There is also another question, why need we do a packet copy in dap_pcap.c
> > > >> pcap_process_loop() {
> > > >> ...
> > > >> memcpy(p, data, pkth->caplen);
> > > >> ...
> > > >> }
> > > >> Can we reuse data pointer to reduce the packet copy?
> > > >>
> > > >> Thanks,
> > > >> Jun
> > > >>
> > > >> 2008/7/4 Xiao Jun <xiaojuntime@gmail.com>:
> > > >> > Hi All,
> > > >> >
> > > >> > I am wondering the snort 3.0 beta + iptables (IPS mode) workable or not,
> > > >> > that means how did the engine return back the detection result (for
> > > >> > example, drop or reject) back to data source?
> > > >> >
> > > >> > BTW, at line 147 of daq_ipq.c, "dd.resolution" should be used to
> > > >> > return the detection result, but I even can not find out the
> > > >> > definition for resolution.
> > > >> >
> > > >> > Thanks,
> > > >> > Jun
> > > >> >
> > > >>
> > > >> -------------------------------------------------------------------------
> > > >> Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW!
> > > >> Studies have shown that voting for your favorite open source project,
> > > >> along with a healthy diet, reduces your potential for chronic lameness
> > > >> and boredom. Vote Now at http://www.sourceforge.net/community/cca08
> > > >> _______________________________________________
> > > >> Snort-devel mailing list
> > > >> Snort-devel@lists.sourceforge.net
> > > >> https://lists.sourceforge.net/lists/listinfo/snort-devel
> > > >
> > > >
> >
> >



Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW! Studies have shown that voting for your favorite open source project, along with a healthy diet, reduces your potential for chronic lameness and boredom. Vote Now at http://www.sourceforge.net/community/cca08

Snort-devel mailing list
Snort-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-devel