Re: external internet/process calls from a preprocessor

> This is no problem if you read in a file, however, if you capture live
> network traffic,
> you should understand that snort will be blind for the "few seconds"
> needed to resolve the IP in DNS. Any attacker knowing this could
> generate a false alert that needs to be resolved and the carry on this
> main attack, unnoticed. My advice, resolve the IP's in another process
> or thread.
>   

We're running in inline-mode, there should be no "window of opportunity" 
since all the packets are just backlogged from the ip_queue module. 
Again, under our circumstances this shouldn't present a performance 
issue, but we can always test that after this preprocessor issue gets 
sorted out.

> Hm, dont know If I understand you code right.
> If you have a Snort alert you know only IP-Adresses. If you have an IP
> - Address and want the corresponding Hostname, then maybe you want
> gethostbyaddr instead of gethostbyname.
>   
We definitely have a hostname. The best way to visualize it, is we have 
another process (which might end up being the ns (network simulator) 
suite) generating very specially formed packets and injecting them into 
our network. They carry a special datagram that we parse using other 
code in the preprocessor, and all we pass to the verifydns function will 
(in the end) be a hostname.

I know that sounds ridiculous, but we're trying to do some pretty obtuse 
and roundabout stuff. I wish I had a simpler situation to report ;-)

My main question is, if Snort doesn't actively block outbound 
connections to the internet, from a preprocessor, why the heck does our 
code work in an external program but not in the preprocessor. And why 
the heck does the gethostbyname error come back as "0: No error". This 
is turning out to be much more of a "c programming" problem than a 
"snort" problem I think, so if you'd like I can buzz off and start 
hitting a few C forums ;-)

Thanks again,

--D


-------------------------------------------------------
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642