Re: external internet/process calls from a preprocessor

Just following up.

Did the print of the domain you were trying to resolve shed any light on
the problem?

David Cann wrote:
> Hope this helps, here's the function I drunkenly glued together to try
> and make a DNS query:
> 
> int dnscaller(int argc, char argv[NUM][LEN]) {
> 
> char *addr, list[LEN];
> int found = FALSE;
> 
> f1 = fopen("bunchofcrap.txt", "a+");
> 
> if(argc<2)
>   printf("incorrect input\n");
> else {
>   he = gethostbyname(argv[1]);
>   if (he) {
>     printf("name:\t\t\t %s\n", he->h_name);
>     while (*he->h_aliases)
>   printf("alias:\t\t\t %s\n", *he->h_aliases++);
>     while (*he->h_addr_list) {
>   bcopy(*he->h_addr_list++, (char *) &a, sizeof(a));
>   printf("address:\t\t %s\n", addr = (char*)inet_ntoa(a));
>   while ( fgets(list, sizeof(list), f1) != NULL) {
>       list[strlen(list)-1] = '\0';
>       if (strcmp(list, addr) == 0) {
>           found = TRUE;
>           break;
>       }
>   }
>   if(!found)
>       fprintf(f1, "%s\n", addr);
>     }
>   }
>   else {
>     printf("dns failed.\n");
>     herror("gethostbyname");
>     return -1;
>   }
> }
> fclose(f1);
> return 0;
> 
> }
> 
> 
> NOTE: I added the herror("gethostbyname"); line just today, to try and
> spit out whatever error the DNS function was returning. I'm not sure if
> I'm invoking it properly, but it outputs something to the effect of
> "gethostbyname: Resolver Error 0: No Error" to stderr (console in this
> case).
> 
> It should just print the resolved IP's to a textfile, but no text file
> is created obviously, since no resolving takes place.
> 
> Also, I understand the performance concerns, but we're only invoking
> this function under very limited and specific circumstances, and even a
> few seconds to resolve the DNS wouldn't result in a significant
> performance problem under our circumstances; I just need to get this to
> work.
> 
> Thanks again,
> --Dave
> 
> Jason wrote:
> 
>> David Cann wrote:
>>  
>>
>>> I was told I might have more luck posting this to the devel list, rather
>>> than the users list, so here goes ;-)
>>>
>>> I've got snort 2.4.4 running inline on a dedicated box, and I'm trying
>>> to use the gethostbyname() function to make a simple DNS call when a set
>>> of criteria is true. This code is contained in a preprocessor which
>>> otherwise works fine. When the criteria are satisfied, the DNS call
>>> invariably fails to work; it doesn't time out, it just fails outright,
>>> as if it has no access to the internet.
>>>
>>> Running the exact same code in a standalone program outside of Snort,
>>> works fine. So my backup idea was to invoke a standalone program each
>>> time the criteria is met, and pass arguments back and forth. This
>>> doesn't seem to work either, it's as if snort disallows such
>>> functionality, even when running in daemon mode.
>>>
>>> I admit I am a terrible, novice C programmer. But can anybody provide
>>> some insight into either A) snort not being able to make DNS calls from
>>> a preprocessor, or B) snort not invoking an external process and passing
>>> arguments?
>>>
>>> -Note: It was mentioned in a reply on the other list that Snort doesn't
>>> disallow DNS resolution implicitly in its programming. Is this accurate?
>>> Is there any other reason my gethostbyname() call is failing so
>>> miserably?
>>>     
>>
>>
>> I've seen no other replies so I assume you mean mine.
>>
>> It is correct that snort does not do any name resolution in the critical
>> path, that is in the packet handling code itself, because it could and
>> would be highly detrimental to performance. An example of this would be
>> that A DoS on the name server would cause the inline system to block
>> until timeout on resolution.
>>
>> Do herror and hstrerror provide any insight to the failure?
>>
>> Could you provide the actual code you are using?
>>
>>  
>>
>>> Thanks in advance,
>>> --Dave
>>>
>>>
>>> -------------------------------------------------------
>>> This SF.Net email is sponsored by xPML, a groundbreaking scripting
>>> language
>>> that extends applications into web and mobile media. Attend the live
>>> webcast
>>> and join the prime developer group breaking into this new coding
>>> territory!
>>> http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
>>> _______________________________________________
>>> Snort-devel mailing list
>>> Snort-devel@xxxxxxxxxxxxxxxxxxxxx
>>> https://lists.sourceforge.net/lists/listinfo/snort-devel
>>>
>>>     
>>
>>
>>
>> -------------------------------------------------------
>> This SF.Net email is sponsored by xPML, a groundbreaking scripting
>> language
>> that extends applications into web and mobile media. Attend the live
>> webcast
>> and join the prime developer group breaking into this new coding
>> territory!
>> http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
>> _______________________________________________
>> Snort-devel mailing list
>> Snort-devel@xxxxxxxxxxxxxxxxxxxxx
>> https://lists.sourceforge.net/lists/listinfo/snort-devel
>>
>>   
> 
> 
> 
> 
> 
> -------------------------------------------------------
> This SF.Net email is sponsored by xPML, a groundbreaking scripting language
> that extends applications into web and mobile media. Attend the live
> webcast
> and join the prime developer group breaking into this new coding territory!
> http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
> _______________________________________________
> Snort-devel mailing list
> Snort-devel@xxxxxxxxxxxxxxxxxxxxx
> https://lists.sourceforge.net/lists/listinfo/snort-devel
> 


-------------------------------------------------------
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642