headers
Russ Combs | 1 Feb 16:05

Re: Access to the raw data of packets from SFSnortPacket structure

pkt_data gives you the the raw packet, starting with the outermost header.


payload gives you the start of data after any decoded headers.

On Tue, Jan 31, 2012 at 3:36 AM, <romain <at> ftml.net> wrote:
Hello,

I would like to develop a snort preprocessor that require access to the
raw data of a packet, as an array of bytes for example.
With this preprocessor, I have access to the SFSnortPacket structure but
I couldn't find the right field in this structure that point to the
data.
I was thinking of pkt_data but according to my tests, it does not seem
to be that.

Do you have any suggestions ?

Thanks,
Romain

------------------------------------------------------------------------------
Keep Your Developer Skills Current with LearnDevNow!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-d2d
_______________________________________________
Snort-devel mailing list
Snort-devel <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!

------------------------------------------------------------------------------
Keep Your Developer Skills Current with LearnDevNow!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-d2d
_______________________________________________
Snort-devel mailing list
Snort-devel <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!
Permalink | Reply | 0 comments |
headers
Luis | 2 Feb 16:04
Picon

Re: request for changes to compile snort in Solaris

Yes, I concur with your opinions, but I haven't quite given up yet.. :)

snort used to compile cleanly up to version 2.8, but since 2.9, it has had many issues that apparently have not been solved yet.   not sure if that is because there are very few people running on solaris, or  like the link posted, people just fix their problems but don't ask to make the changes incorporated into the snort build.

I've got snort 2.9.2 running on sparc on a test system and am going through 'tuning' the new features right now...

the problem is not only with snort, by the way, barnyard2 also has it's issues (sent an email to the barnyard2 list, but haven't gotten any feedback yet).  so until I can get it compiled, i'm still using old, crusty barnyard  which seems to do the job.

unfortunately, going away from sparc/solaris is not an option for us at this time, so we'll keep on trying...

:-)

Thanks for the comment.


Luis

On Tue, Jan 31, 2012 at 5:15 PM, Castle, Shane <scastle <at> bouldercounty.org> wrote:
I am not one of the Snort developers, but I have some experience and an opinion on this topic, so here goes.

I could not get earlier versions of Snort to compile correctly on Solaris. Period. If it successfully finished the make process, the resulting file(s) would not run correctly. So, I don't run Solaris any more.

YMMV but I gave up.

--
Shane Castle
Data Security Mgr, Boulder County IT
CISSP GSEC GCIH


-----Original Message-----
From: Luis [mailto:luis.mlists <at> gmail.com]
Sent: Tuesday, January 31, 2012 14:41
To: snort-devel <at> lists.sourceforge.net
Subject: [Snort-devel] request for changes to compile snort in Solaris

Howdy:

just went through compiling snort 2.9.2 for solaris sparc and wanted to make a request to make the necessary changes so that 'configure' will work.

as you can probably deduce, I'm no developer... googling found this link..

http://bookmarklust.blogspot.com/2011/11/snort-2912-on-solaris-10x86.html

followed the instructions (to add #include "sf_types.h" to a bunch of files..)  and it seemed to work..   compiled  and created a binary.  :-)

is there a way that this can be done with autoconf?   (configure) on solaris?


thanks.


Luis



------------------------------------------------------------------------------
Keep Your Developer Skills Current with LearnDevNow!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-d2d
_______________________________________________
Snort-devel mailing list
Snort-devel <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!
Permalink | Reply | 0 comments |
headers
Anju Jyothish | 2 Feb 23:21
Picon

Doubt in development

Hi,
 
I have a question. How do the packets know which DFA table to consult for pattern matching. Apparently the packet data structure does not hold any group id.
 
Thanks,
Anju
------------------------------------------------------------------------------
Keep Your Developer Skills Current with LearnDevNow!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-d2d
_______________________________________________
Snort-devel mailing list
Snort-devel <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!
Permalink | Reply | 1 comment |
headers
Martin Schütte | 2 Feb 23:24
Favicon

how to release a Snort IPv6 plugin?


Hello,
are there best practices to publish a Snort plugin? In particular for
getting a GID and possibly an SID range assigned? Or even to
contribute a new module to Snort?

As part of an ongoing research project I have written an IPv6 plugin
for Snort. It includes a dynamic preprocessor to track IPv6 neighbor
discovery messages, and it implements some additional rule options to
check IPv6 header fields.
The source is available at: https://github.com/mschuett/spp_ipv6

--

-- 
Martin Schütte
Permalink | Reply | 5 comments |
headers
Michael R Gilliam | 2 Feb 17:45
Favicon

2.9.2-1 - Missing Alerts in Unified2 - Partial Alert in Unified

Has anyone expereinced an issue that occurs when having output directed to two destinations, both a unified format and unified2 format, there are partial alerts that show up in the unified file (alert, but no packet/session data) and the alert and packet/session data is completely missing out of the unified2 file?  Otherwise, for the most part (99% of the time), all alerts and packets/session data match.

running snort2.9.2-1
daq 0.6.2


snort.conf output is set up as
output unified2: filename snort.log, limit 128
output alert_unified:filename /var/log/snort/log2.alert, limit 128
output log_unified: filename /var /log/snort/log2.log, limit 128

Thanks,
Mike

------------------------------------------------------------------------------
Try before you buy = See our experts in action!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-dev2
_______________________________________________
Snort-devel mailing list
Snort-devel <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!
Permalink | Reply | 0 comments |
headers
Joel Esler | 5 Feb 03:12

Re: how to release a Snort IPv6 plugin?

On Thu, Feb 02, 2012 at 11:24:49PM +0100, Martin Schütte wrote:
> Hello,
> are there best practices to publish a Snort plugin? In particular for
> getting a GID and possibly an SID range assigned? Or even to
> contribute a new module to Snort?

Okay, so there are two ways to go about this. 

#1 -- you release it on your own, pick a high GID and SID range that we wouldn't use any time soon, and you go on
your merry way as an additional plugin.
#2 -- You gives us the code for possible incorporation into the Snort tree.  The way that works is that you sign
over all Copyright to the code to Sourcefire, and we attribute it back to you.

--
Joel Esler

------------------------------------------------------------------------------
Try before you buy = See our experts in action!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-dev2
_______________________________________________
Snort-devel mailing list
Snort-devel <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!
Permalink | Reply | 4 comments |
headers
Joel Esler | 5 Feb 06:57

Re: [Snort-users] Public Bugzilla? [was: threshold -- is it really deprecated?]

On Tue, Jan 24, 2012 at 02:45:05PM -0500, Joshua Kinard wrote:
> On 01/23/2012 11:18, Joel Esler wrote:
> 
> > Just let everyone know what we've done as a result of this conversation.
> >  We've put in a couple of bugs to track this/these issue/issues and we're
> > going to evaluate what we can do to satisfy the requirements/opinions
> > stated here.  I'll follow up with this thread when we make progress.
> 
> 
> Slight deviation in topic, but have you guys ever thought of making Snort's
> internal bugzilla (or other such issue tracker) publicly-accessible?  I
> imagine there's some things you guys want to keep to yourself, and most
> ticketing systems should have a "developer only" bit in them.
> 
> Might help better manage comments/ideas/bugs/patches from the community if
> we can file those into a ticket tracker and then get CC'ed when updates happen.

Followup to this.  We had a bugzilla system.  It seems that no one ever used it.  It's different from our
internal bugzilla system that we actually commit code with and annotate.  So I made the decision to kill it. 
Reason being, most bugs and feature requests are submitted through the bugs[@] email address.  I handle
all the bugs that come into the system through the community anyway and provide feedback to the reporters
when I know more.  I think to have a bugzilla system public would be the same thing, another system for me to
log into and move the bugs to our internal system, and vice versa.

I thought about encouraging the devel team to use the public system, but we can't as things affect product as
well, as don't have a public product system as not all of our code is open source.  

So I think the way the community has been submitting bugs up to this point is working for us just fine, I see no
need to make another process for people to deal with, both externally, and internally.

 --
 Joel Esler
 Senior Research Engineer, VRT
 OpenSource Community Manager
 Sourcefire 

------------------------------------------------------------------------------
Try before you buy = See our experts in action!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-dev2
_______________________________________________
Snort-devel mailing list
Snort-devel <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!
Permalink | Reply | 2 comments |
headers
Joshua Kinard | 5 Feb 10:06
Picon
Favicon

Re: how to release a Snort IPv6 plugin?

On 02/04/2012 21:12, Joel Esler wrote:

> On Thu, Feb 02, 2012 at 11:24:49PM +0100, Martin Schütte wrote:
>> Hello,
>> are there best practices to publish a Snort plugin? In particular for
>> getting a GID and possibly an SID range assigned? Or even to
>> contribute a new module to Snort?
> 
> Okay, so there are two ways to go about this. 
> 
> #1 -- you release it on your own, pick a high GID and SID range that we wouldn't use any time soon, and you go on
your merry way as an additional plugin.
> #2 -- You gives us the code for possible incorporation into the Snort tree.  The way that works is that you
sign over all Copyright to the code to Sourcefire, and we attribute it back to you.

Re #2, Is there a form for this?  That's one of the confusing bits I had on
the non-IP layer 3 patch I sent in a while back.  I am on file with the FSF
(if it matters), though that was years ago for a small patch to GCC.

-- 
Joshua Kinard
Gentoo/MIPS
kumba <at> gentoo.org
4096R/D25D95E3 2011-03-28

"The past tempts us, the present confuses us, the future frightens us.  And
our lives slip away, moment by moment, lost in that vast, terrible in-between."

--Emperor Turhan, Centauri Republic


------------------------------------------------------------------------------
Try before you buy = See our experts in action!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-dev2
_______________________________________________
Snort-devel mailing list
Snort-devel <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!
Permalink | Reply | 3 comments |
headers
Joshua Kinard | 5 Feb 10:08
Picon
Favicon

Re: [Snort-users] Public Bugzilla? [was: threshold -- is it really deprecated?]

On 02/05/2012 00:57, Joel Esler wrote:

> On Tue, Jan 24, 2012 at 02:45:05PM -0500, Joshua Kinard wrote:
>> On 01/23/2012 11:18, Joel Esler wrote:
>>
>>> Just let everyone know what we've done as a result of this conversation.
>>>  We've put in a couple of bugs to track this/these issue/issues and we're
>>> going to evaluate what we can do to satisfy the requirements/opinions
>>> stated here.  I'll follow up with this thread when we make progress.
>>
>>
>> Slight deviation in topic, but have you guys ever thought of making Snort's
>> internal bugzilla (or other such issue tracker) publicly-accessible?  I
>> imagine there's some things you guys want to keep to yourself, and most
>> ticketing systems should have a "developer only" bit in them.
>>
>> Might help better manage comments/ideas/bugs/patches from the community if
>> we can file those into a ticket tracker and then get CC'ed when updates happen.
> 
> Followup to this.  We had a bugzilla system.  It seems that no one ever used it.  It's different from our
internal bugzilla system that we actually commit code with and annotate.  So I made the decision to kill it. 
Reason being, most bugs and feature requests are submitted through the bugs[@] email address.  I handle
all the bugs that come into the system through the community anyway and provide feedback to the reporters
when I know more.  I think to have a bugzilla system public would be the same thing, another system for me to
log into and move the bugs to our internal system, and vice versa.
> 
> I thought about encouraging the devel team to use the public system, but we can't as things affect product
as well, as don't have a public product system as not all of our code is open source.  
> 
> So I think the way the community has been submitting bugs up to this point is working for us just fine, I see no
need to make another process for people to deal with, both externally, and internally.

Sounds good.  LKML ran for years before adding a public bugzilla to deal
with those that like that system.  I'd say that, 95% of patches and bugs
still come in on that mailing list, though, so it's a system that works.
Worth an inquiry.

Cheers!

-- 
Joshua Kinard
Gentoo/MIPS
kumba <at> gentoo.org
4096R/D25D95E3 2011-03-28

"The past tempts us, the present confuses us, the future frightens us.  And
our lives slip away, moment by moment, lost in that vast, terrible in-between."

--Emperor Turhan, Centauri Republic


------------------------------------------------------------------------------
Try before you buy = See our experts in action!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-dev2
_______________________________________________
Snort-devel mailing list
Snort-devel <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!
Permalink | Reply | 0 comments |
headers
Joel Esler | 5 Feb 15:29

Re: how to release a Snort IPv6 plugin?

We don't have a form for patches. Just for big contributions of code. 

-- 
Joel Esler

On Feb 5, 2012, at 4:06 AM, Joshua Kinard <kumba <at> gentoo.org> wrote:

> On 02/04/2012 21:12, Joel Esler wrote:
> 
>> On Thu, Feb 02, 2012 at 11:24:49PM +0100, Martin Schütte wrote:
>>> Hello,
>>> are there best practices to publish a Snort plugin? In particular for
>>> getting a GID and possibly an SID range assigned? Or even to
>>> contribute a new module to Snort?
>> 
>> Okay, so there are two ways to go about this. 
>> 
>> #1 -- you release it on your own, pick a high GID and SID range that we wouldn't use any time soon, and you go on
your merry way as an additional plugin.
>> #2 -- You gives us the code for possible incorporation into the Snort tree.  The way that works is that you
sign over all Copyright to the code to Sourcefire, and we attribute it back to you.
> 
> 
> Re #2, Is there a form for this?  That's one of the confusing bits I had on
> the non-IP layer 3 patch I sent in a while back.  I am on file with the FSF
> (if it matters), though that was years ago for a small patch to GCC.
> 
> -- 
> Joshua Kinard
> Gentoo/MIPS
> kumba <at> gentoo.org
> 4096R/D25D95E3 2011-03-28
> 
> "The past tempts us, the present confuses us, the future frightens us.  And
> our lives slip away, moment by moment, lost in that vast, terrible in-between."
> 
> --Emperor Turhan, Centauri Republic
> 
> ------------------------------------------------------------------------------
> Try before you buy = See our experts in action!
> The most comprehensive online learning library for Microsoft developers
> is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
> Metro Style Apps, more. Free future releases when you subscribe now!
> http://p.sf.net/sfu/learndevnow-dev2
> _______________________________________________
> Snort-devel mailing list
> Snort-devel <at> lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
> 
> Please visit http://blog.snort.org for the latest news about Snort!
Attachment (smime.p7s): application/pkcs7-signature, 6362 bytes
------------------------------------------------------------------------------
Try before you buy = See our experts in action!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-dev2
_______________________________________________
Snort-devel mailing list
Snort-devel <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!
Permalink | Reply | 2 comments |

Gmane