Additional Resources
Author: Snort site
You can think of this as a dynamic preprocessor “starter kit”, the goal of which is to make it as simple as possible to prototype a dynamic preprocessor. This one is called DPX, for “Dynamic Preprocessor Example”. You can build DPX, which is very trivial, and then change it to do what you need.
Here is how to build DPX:
Download the Snort tarball. Unpack and build in /path/to/snort/topdir (the directory where you run ./configure). No need to make install.
Download and install this tar ball (dpx-*.tar.gz) in some other directory.
echo “SNORT=/path/to/snort/topdir” > setup.sh
./build.sh (see Issue 1 at end)
./test.sh
There are a number of things that can trip you up so pay special attention to the following details:
Unfortunately, Snort doesn’t install the development headers required and the example in the source tree assumes you work in that source tree. This example can be built outside the Snort source tree and w/o installing Snort.
configure.ac ensures that dpx is compiled with exactly same options as snort by using pkg-config and snort.pc which is built automatically. If you don’t do this, key structures may be defined differently in Snort proper and in DPX which would result in nasty things like segfaults.
Snort uses hidden visibility by default for compilers that support it to reduce runtime overhead when accessing dynamically loaded modules like DPX. This means you must get the visibility correct to get InitializePreprocessor() and LibVersion() exported so Snort can load the module.
Dynamically loaded modules need file and line numbers for proper debug output. Just be sure to call DebugMessage() instead of directly calling _dpd.debugMsg() and that will happen automatically.
You can use SNORT_DEBUG to get helpful output. test.sh shows how. You must configure Snort with –enable-debug –enable-debug-msgs for this to work.