Re: external internet/process calls from a preprocessor

Hope this helps, here's the function I drunkenly glued together to try 
and make a DNS query:

int dnscaller(int argc, char argv[NUM][LEN]) {

char *addr, list[LEN];
int found = FALSE;

f1 = fopen("bunchofcrap.txt", "a+");

if(argc<2)
  printf("incorrect input\n");
else {
  he = gethostbyname(argv[1]);
  if (he) {
    printf("name:\t\t\t %s\n", he->h_name);
    while (*he->h_aliases)
  printf("alias:\t\t\t %s\n", *he->h_aliases++);
    while (*he->h_addr_list) {
  bcopy(*he->h_addr_list++, (char *) &a, sizeof(a));
  printf("address:\t\t %s\n", addr = (char*)inet_ntoa(a));
  while ( fgets(list, sizeof(list), f1) != NULL) {
      list[strlen(list)-1] = '\0';
      if (strcmp(list, addr) == 0) {
          found = TRUE;
          break;
      }
  }
  if(!found)
      fprintf(f1, "%s\n", addr);
    }
  }
  else {
    printf("dns failed.\n");
    herror("gethostbyname");
    return -1;
  }
}
fclose(f1);
return 0;

}


NOTE: I added the herror("gethostbyname"); line just today, to try and 
spit out whatever error the DNS function was returning. I'm not sure if 
I'm invoking it properly, but it outputs something to the effect of 
"gethostbyname: Resolver Error 0: No Error" to stderr (console in this 
case).

It should just print the resolved IP's to a textfile, but no text file 
is created obviously, since no resolving takes place.

Also, I understand the performance concerns, but we're only invoking 
this function under very limited and specific circumstances, and even a 
few seconds to resolve the DNS wouldn't result in a significant 
performance problem under our circumstances; I just need to get this to 
work.

Thanks again,
--Dave

Jason wrote:
> David Cann wrote:
>  
> > I was told I might have more luck posting this to the devel list, rather
> > than the users list, so here goes ;-)
> >
> > I've got snort 2.4.4 running inline on a dedicated box, and I'm trying
> > to use the gethostbyname() function to make a simple DNS call when a set
> > of criteria is true. This code is contained in a preprocessor which
> > otherwise works fine. When the criteria are satisfied, the DNS call
> > invariably fails to work; it doesn't time out, it just fails outright,
> > as if it has no access to the internet.
> >
> > Running the exact same code in a standalone program outside of Snort,
> > works fine. So my backup idea was to invoke a standalone program each
> > time the criteria is met, and pass arguments back and forth. This
> > doesn't seem to work either, it's as if snort disallows such
> > functionality, even when running in daemon mode.
> >
> > I admit I am a terrible, novice C programmer. But can anybody provide
> > some insight into either A) snort not being able to make DNS calls from
> > a preprocessor, or B) snort not invoking an external process and passing
> > arguments?
> >
> > -Note: It was mentioned in a reply on the other list that Snort doesn't
> > disallow DNS resolution implicitly in its programming. Is this accurate?
> > Is there any other reason my gethostbyname() call is failing so 
> > miserably?
> >     
>
> I've seen no other replies so I assume you mean mine.
>
> It is correct that snort does not do any name resolution in the critical
> path, that is in the packet handling code itself, because it could and
> would be highly detrimental to performance. An example of this would be
> that A DoS on the name server would cause the inline system to block
> until timeout on resolution.
>
> Do herror and hstrerror provide any insight to the failure?
>
> Could you provide the actual code you are using?
>
>  
> > Thanks in advance,
> > --Dave
> >
> >
> > -------------------------------------------------------
> > This SF.Net email is sponsored by xPML, a groundbreaking scripting 
> > language
> > that extends applications into web and mobile media. Attend the live
> > webcast
> > and join the prime developer group breaking into this new coding 
> > territory!
> > http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
> > _______________________________________________
> > Snort-devel mailing list
> > Snort-devel@xxxxxxxxxxxxxxxxxxxxx
> > https://lists.sourceforge.net/lists/listinfo/snort-devel
> >
> >     
>
>
> -------------------------------------------------------
> This SF.Net email is sponsored by xPML, a groundbreaking scripting 
> language
> that extends applications into web and mobile media. Attend the live 
> webcast
> and join the prime developer group breaking into this new coding 
> territory!
> http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
> _______________________________________________
> Snort-devel mailing list
> Snort-devel@xxxxxxxxxxxxxxxxxxxxx
> https://lists.sourceforge.net/lists/listinfo/snort-devel
>
>   




-------------------------------------------------------
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642