DOWNDLOAD

Sax2 Intrusion Prevention System

  • Prevent hacker & virus attacks
  • Securing your network & business
Read More…
Free Download

Maximizing Java Development: Leveraging Open Source Components for Efficient Backend Systems

AndyHuang

Contents hide
Snort Detection Plugin Initialization Process
I Overview of Open Source Components Detection Plugins
II Detection Plugin Setup
III Detection Plugin Init
Related posts:

Snort Detection Plugin Initialization Process

I Overview of Open Source Components Detection Plugins

1. Code Location: Snort source code src/detection-plugins

2. Function: The Snort rule body can define keywords, such as for ICMP protocol itype, icode, etc. These keywords and their parameters will be parsed by detection plugins and related functions of detection plugins will be invoked for processing. For example, if itype:3 is defined in the rule body, the detection plugin will perform a comparative operation between the input packet structure of the ICMP protocol type and the rule’s itype.

II Detection Plugin Setup

Each detection plugin has a Setup function, such as the SetupIcmpTypeCheck function in sp_icmp_type_check.c:

void SetupIcmpTypeCheck(void){    RegisterRuleOption("itype", IcmpTypeCheckInit, NULL, OPT_TYPE_DETECTION, NULL);    ...}

Function Call Chain: RegisterRuleOptions=>SetupIcmpTypeCheck=>RegisterRuleOption

1. RegisterRuleOptions is defined in plugbase.c, completing the initialization of the lower-level linked list (rule body) in a three-dimensional linked list.

2. RegisterRuleOption is defined in plugbase.c, generating a RuleOptConfigFuncNode node and inserting it at the end of the linked list rule_opt_config_funcs (defined in snort.cc).

III Detection Plugin Init

Each detection plugin has an Init function, such as the IcmpTypeCheckInit function in sp_icmp_type_check.c:

void IcmpTypeCheckInit(struct _SnortConfig *sc, char *data, OptTreeNode *otn, int protocol){    ...    otn->ds_list[PLUGIN_ICMP_TYPE] = (IcmpTypeCheckData *)SnortAlloc(sizeof(IcmpTypeCheckData)); // Create a new node and attach it to the three-dimensional linked list    ParseIcmpType(sc, data, otn);                       // Parse itype value in the ICMP rule    fpl = AddOptFuncToList(IcmpTypeCheck, otn);         // Attach the detection function to the related linked list of otn}

The Init process completes the initialization of related keyword detection in the three-dimensional linked list, i.e., parsing keywords and hooking keyword detection functions into the three-dimensional linked list.

Related posts:

  1. How to Avoid Phishing Scams
  2. Block bad ICMP messages to Prevent ICMP attacks
  3. DNS spoofing
  4. How to Prevent Denial of Service Attack (DDoS Attack)