Snort mailing list archives
Re: Again snort and unixsocket
From: Fyodor <fygrave () tigerteam net>
Date: Mon, 26 Nov 2001 07:46:17 +0700
On Sun, Nov 25, 2001 at 10:47:02PM +0100, TSauter () gmx net wrote:
Hello snort-users, first, thanks for all replies to my previous post. After some probs and manuals, I've got now the following code: <snip> Alertpkt alert; while((connfd = recvfrom(sockfd, &alert, sizeof(alert), 0, (struct sockaddr *) &adresse, (socklen_t *) &adrlen)) > 0) { Packet *p; p = (void *)&alert.pkt;
replace this with: if (!(alert.val & NOPACKET_STRUCT)) { if ((p = calloc(1, sizeof(Packet))) == NULL) { perror("calloc"); exit(1); } p->pkt = alert.pkt; p->pkth = alert.pkth; if (alert.dlthdr) p->eh = alert.pkt + alert.dlthdr; if (alert.nethdr) p->iph = alert.pkt + alert.nethdr; if (alert.transhdr) { switch(p->iph->ip_proto) { case IPPROTO_TCP: ip->tcph = alert.pkt + alert.transhdr; break; case IPPROTO_UDP: ip->udph = alert.pkt + alert.transhdr; break; case IPPROTO_ICMP: ip->icmph = alert.pkt + alert.transhdr; break; default: printf("WTF!\n"); } if (alert.data) p->data = alert.pkt + alert.data; /* now do whatever you want with these packet structures */ } /* if (!NOPACKET_STRUCT) */
printf("%s [%d]\n", alert.alertmsg, alert.event.event_id); printf("%d->%d\n", p->sp, p->dp);
if( p->iph) { printf("from: %s ", inet_ntoa(p->iph-ip_src)); printf("to: %s\n", inet_ntoa(p->iph-ip_dst)); } etc..
fflush(NULL); } </snip> infos like ip-addresses or ports. I think all infos should stored in "alert.pkt", with is simply an pointer to a Packet-structur (decode.h). But how can I
No, just pure packet captured off the wire + offsets to relevant data structures are stored. You can't store Packet structure in it, cuz packet structure has lots of pointers to the data located outside of the packet structure. So I had to use offsets instead. (and recalc. pointers in the client code). hope it helps, -Fyodor _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Again snort and unixsocket TSauter (Nov 25)
- Re: Again snort and unixsocket Fyodor (Nov 25)