Re: external internet/process calls from a preprocessor

David Cann wrote:
> I was told I might have more luck posting this to the devel list, rather
> than the users list, so here goes ;-)
> 
> I've got snort 2.4.4 running inline on a dedicated box, and I'm trying
> to use the gethostbyname() function to make a simple DNS call when a set
> of criteria is true. This code is contained in a preprocessor which
> otherwise works fine. When the criteria are satisfied, the DNS call
> invariably fails to work; it doesn't time out, it just fails outright,
> as if it has no access to the internet.
> 
> Running the exact same code in a standalone program outside of Snort,
> works fine. So my backup idea was to invoke a standalone program each
> time the criteria is met, and pass arguments back and forth. This
> doesn't seem to work either, it's as if snort disallows such
> functionality, even when running in daemon mode.
> 
> I admit I am a terrible, novice C programmer. But can anybody provide
> some insight into either A) snort not being able to make DNS calls from
> a preprocessor, or B) snort not invoking an external process and passing
> arguments?
> 
> -Note: It was mentioned in a reply on the other list that Snort doesn't
> disallow DNS resolution implicitly in its programming. Is this accurate?
> Is there any other reason my gethostbyname() call is failing so miserably?

I've seen no other replies so I assume you mean mine.

It is correct that snort does not do any name resolution in the critical
path, that is in the packet handling code itself, because it could and
would be highly detrimental to performance. An example of this would be
that A DoS on the name server would cause the inline system to block
until timeout on resolution.

Do herror and hstrerror provide any insight to the failure?

Could you provide the actual code you are using?

> 
> Thanks in advance,
> --Dave
> 
> 
> -------------------------------------------------------
> This SF.Net email is sponsored by xPML, a groundbreaking scripting language
> that extends applications into web and mobile media. Attend the live
> webcast
> and join the prime developer group breaking into this new coding territory!
> http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
> _______________________________________________
> Snort-devel mailing list
> Snort-devel@xxxxxxxxxxxxxxxxxxxxx
> https://lists.sourceforge.net/lists/listinfo/snort-devel
> 


-------------------------------------------------------
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642