snort2.9.3预处理插件步骤整理.docx

Snort 2 .9 . 3 预处理器开发步骤打开模板snort2.9.3.1/templates ,查看文件：sp_template.h和sp_template.c是开发预处理插件使用的模板，spp_template.h和spp_template.c是开发预处理器使用的模板。这里使用spp_template.h和spp_template.c。复制spp_template.h和spp_template.c重命名，得到新的插件复制spp_hellosnort.c和spp_hellosnort.h到snort2.9.3.1/src/preprocessors修改plugbase.c文件，将插件的头文件spp_hellosnort.h包含到plugbase.c中如图（63、64行）并且将插件的SetupHelloSnort（）函数插入plugbase.c的RegisterPreprocessors()函数中如图（672行）修改spp_hellosnort.h文件，即定义初始化函数原形void SetupHelloSnort(); 如图（13行）修改spp_hellosnort.c文件。需注意地方:1、修改引用的头文件,删除#inlcude“spp_template.h”，增加#inlcude”spp_hellosnort.h” 2、增加#define PROTO_MASK 0x0001（添加函数到预处理器链表是用到）3、AddFuncToPreprocList(HelloSnortFunct, PRIORITY_NETWORK, PP_HELLO_SNORT, PROTO_MASK);此信息中的PRIORITY_NETWORK为源文件/src/preprocids.h中引用（图80行）此信息中的PP_HELLO_SNORT需在源文件/src/preprocids.h中定义的最后添加如图：添加#define PP_HELLO_SNORT 30（图72行）spp_hellosnort.c文件源码如下（只写出打印信息做调用参考，没有具体功能函数）：/* $Id$ *//* Snort Preprocessor Plugin Source File Template *//* * Purpose: * * Preprocessors perform some function *once* for *each* packet. This is * different from detection plugins, which are accessed depending on the * standard rules. When adding a plugin to the system, be sure to * add the Setup function to the InitPreprocessors() function call in * plugbase.c! * * Arguments: * * This is the list of arguements that the plugin can take at the * preprocessor line in the rules file * * Effect: * * What the preprocessor does. Check out some of the default ones * (e.g. spp_frag2) for a good example of this description. * * Comments: * * Any comments? * */#include sys/types.h#include stdlib.h#include ctype.h#include rpc/types.h#include snort_debug.h/* * If youre going to issue any alerts from this preproc you * should include generators.h and event_wrapper.h */#include generators.h#include event_wrapper.h#include util.h#include plugbase.h#include parser.h/* * put in other inculdes as necessary *//* * your preprocessor header file goes here if necessary, dont forget * to include the heade