/* $Id: spp_template.c,v 1.3 2002/03/19 13:46:24 cazz Exp $ */ /* Snort Preprocessor Plugin Source File Template */ /* spp_template * * Purpose: * * Preprocessors perform some function *once* for *each* packet. This is * different from detection plugins, which are accessed depending on the * standard rules. When adding a plugin to the system, be sure to * add the "Setup" function to the InitPreprocessors() function call in * plugbase.c! * * Arguments: * * This is the list of arguements that the plugin can take at the * "preprocessor" line in the rules file * * Effect: * * What the preprocessor does. Check out some of the default ones * (e.g. spp_http_decode) for a good example of this description. * * Comments: * * Any comments? * */ /* your preprocessor header file goes here */ #include "spp_ssh.h" /* external globals from rules.c */ //extern char *file_name; //extern int file_line; /* If you need to instantiate the preprocessor's data structure, do it here */ //TemplateData SomeData; /* * Function: SetupTemplate() * * Purpose: Registers the preprocessor keyword and initialization * function into the preprocessor list. This is the function that * gets called from InitPreprocessors() in plugbase.c. * * Arguments: None. * * Returns: void function * */ void SetupTemplate() { /* link the preprocessor keyword to the init function in the preproc list */ RegisterPreprocessor("ssh", TemplateSSHInit); printf("SSH Preprocessor: Template is setup...\n"); } /* * Function: TemplateInit(u_char *) * * Purpose: Calls the argument parsing function, performs final setup on data * structs, links the preproc function into the function list. * * Arguments: args => ptr to argument string * * Returns: void function * */ void TemplateSSHInit(u_char *args) { // DebugMessage(DEBUG_PLUGIN,"Preprocessor: Template Initialized\n"); /* parse the argument list from the rules file */ ParseTemplateArgs(args); /* Set the preprocessor function into the function list */ AddFuncToPreprocList(PreprocFunction); //AddFuncToCleanExitList(PreprocCleanExitFunction); //AddFuncToRestartList(PreprocRestartFunction); } /* * Function: ParseTemplateArgs(char *) * * Purpose: Process the preprocessor arguements from the rules file and * initialize the preprocessor's data struct. This function doesn't * have to exist if it makes sense to parse the args in the init * function. * * Arguments: args => argument list * * Returns: void function * */ void ParseTemplateArgs(char *args) { /* your parsing function goes here, check out the other spp files for examples */ printf("Arrrrrrrrrrgs \n"); } /* * Function: PreprocFunction(Packet *) * * Purpose: Perform the preprocessor's intended function. This can be * simple (statistics collection) or complex (IP defragmentation) * as you like. Try not to destroy the performance of the whole * system by trying to do too much.... * * Arguments: p => pointer to the current packet data struct * * Returns: void function * */ void PreprocFunction(Packet *p) { Stream *strms; Stream *strmc; Session *ssn; /* check for TCP traffic that's part of an established session */ if(!PacketIsTCP(p) || !IsTcpSessionTraffic(p)) { return; } /* we're only interested in ssh traffic*/ if(p->dp != 22 && p->sp != 22) { return; } ssn=(Session*)(p->ssnptr); strms=(Stream*)(&ssn->server); strmc=(Stream*)(&ssn->client); /* now check the current number of packets sent */ if((strms->pkts_sent <= COUNT) || (strmc->pkts_sent <= COUNT)) { DirectLogTcpdump(p->pkth, p->pkt); printf("s-sent:%ld c-sent:%ld \n", strms->pkts_sent, strmc->pkts_sent); } }