Hosting Provided By

[Snort-devel] spo_cvs.c bugs

From: Alan Milligan <alan(at)balclutha.org>
Date: Wed Feb 25 2004 - 03:50:04 EST

Hi,

I'm trying to do some stuff with snort logging certain packets so I can flexibly count bandwith utilisations using snort rules. I am still unsure if this is the best tool for this job (please advise)...

In my investigations however, I've struggled to get anything out of the unixsock stuff - any pointers as to why nothing's getting written down the socket would be most helpful.

Also, when trying the cvs output, I found a load of bugs with the srcport/dstport stuff. I've appended a patch from the 2.1.1-RC1 source base (please forgive me if it's not quite in your standard format ;) ).

TIA Alan

spo_csv.c 2004-02-25 19:39:04.000000000 +1100 +++ spo_csv.c.old 2004-02-25 19:02:50.000000000 +1100 @@ -285,7 +285,7 @@ fprintf(file, "%lu", (unsigned long) event->sig_id); } }
- else if(!strncasecmp("sig_rev",type,7))
+ else if(!strncasecmp("sig_rev",type,6)) { if(event != NULL) { @@ -346,7 +346,7 @@ fprintf(file,"0x%X",ntohs(p->eh->ether_type)); } }
- else if(!strncasecmp("udplength", type, 9))
+ else if(!strncasecmp("udplength", type, 3)) { if(p->udph) fprintf(file,"%d",ntohs(p->udph->uh_len)); @@ -361,7 +361,17 @@ if(p->trh) PrintTrHeader(file, p); }
- else if(!strncasecmp("srcport", type, 7))
+ else if(!strncasecmp("src", type, 3)) + { + if(p->iph) + fputs(inet_ntoa(p->iph->ip_src), file); + } + else if(!strncasecmp("dst", type, 3)) + { + if(p->iph) + fputs(inet_ntoa(p->iph->ip_dst), file); + } + else if(!strncasecmp("srcport", type, 3)) { if(p->iph) { @@ -374,12 +384,7 @@ } } }
- else if(!strncasecmp("src", type, 3))
- {
- if(p->iph)
- fputs(inet_ntoa(p->iph->ip_src), file);
- }
- else if(!strncasecmp("dstport", type, 7)) + else if(!strncasecmp("dstport", type, 3)) { if(p->iph) { @@ -387,16 +392,11 @@ { case IPPROTO_UDP: case IPPROTO_TCP:
- fprintf(file, "%d", p->dp); + fprintf(file, "%d", p->sp); break; } } }
- else if(!strncasecmp("dst", type, 3))
- {
- if(p->iph)
- fputs(inet_ntoa(p->iph->ip_dst), file);
- } else if(!strncasecmp("icmptype",type,8)) { if(p->icmph)

SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps & Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click

Snort-devel mailing list
Snort-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-devel Received on Wed Feb 25 03:59:06 2004

This message: [ Message body ]
Next message: Nick Zitzmann: "Re: [Snort-devel] spo_cvs.c bugs"
Previous message: mcenroe(at)dli.ernet.in: "[Snort-devel] Snort Pattern-Matching Steps"
Next in thread: Nick Zitzmann: "Re: [Snort-devel] spo_cvs.c bugs"
Reply: Nick Zitzmann: "Re: [Snort-devel] spo_cvs.c bugs"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:08:10 EDT