Re: configure snort to drop payloads

[James Hoagland <hoagland () SiliconDefense com>]

At 6:07 AM -0800 4/2/02, Lyle Sudin wrote:
> Is there an easy way to run snort in packet sniffing
> mode which will be able to keep up with a 100MB
> connection, log in tcpdump format, and only log the
> packet headers?
>
> The -b switch seems to keep up with the traffic and
> not drop packets but includes the payload in addition
> to the headers.  I need to do all the parsing before
> writing to disk (both privacy and disk space concerns)
> so I am looking for either a switch I am missing or
> code to edit.

Lyle,

See the diff below.  I haven't so much as tried to compile this (let 
alone be sure it works; so use at your own risk) but this might meet 
your requirement for *no* logging of payload data.  Basically it 
copies just the header of the packet into a buffer and gives that to 
libpcap for writing.  It also lies to pcap about the capture length, 
saying it is just the length of the header.  Right now, this is 
enabled by a #define; it wouldn't be hard to add it as a command line 
switch.

Mostly due to needing to make a copy of the header, there is a small 
performance hit.  If this matters, you can post-process your tcpdump 
file with this option enabled, rather than running with it 
originally.  (I am making a conservative assumption about pcap in 
making a copy of the header.)

Corrections to this code would be welcome.

Hope this helps,

   Jim


--- spo_log_tcpdump.c.orig      Wed Apr 17 13:44:03 2002
+++ spo_log_tcpdump.c   Wed Apr 17 15:25:55 2002
@@ -38,6 +38,8 @@
  * First logger...
  *
  */
+
+#define DONT_LOG_PAYLOAD 1

 /* your output plugin header file goes here */
 #include "spo_log_tcpdump.h"
@@ -170,6 +172,14 @@

     if(p)
     {
+#if DONT_LOG_PAYLOAD
+        u_int8_t sanitized_pkt[68];
+        u_int16_t real_caplen= p->pkth->caplen <= 68 ?
+                                 p->pkth->caplen : 68;
+       
+        p->pkth->caplen-= p->dsize;
+#endif       
+       
         if(pv.obfuscation_flag)
         {
             if(p->iph != NULL)
@@ -181,9 +191,23 @@

         data->log_written = 1;

+#if DONT_LOG_PAYLOAD
+        /* copy just the header over */
+        if (p->pkt != NULL) { /* in case we get here w/o a pkt */
+            memcpy(sanitized_pkt,p->pkt,p->pkth->caplen);
+            pcap_dump((u_char *)data->dumpd,p->pkth,sanitized_pkt);
+        } else {
+            /* sizeof(struct pcap_pkthdr) = 16 bytes */
+            pcap_dump((u_char *)data->dumpd,p->pkth,NULL);
+        }
+
+
+        p->pkth->caplen= real_caplen; /* restore p->pkth */
+#else
         /* sizeof(struct pcap_pkthdr) = 16 bytes */
         pcap_dump((u_char *)data->dumpd,p->pkth,p->pkt);
-
+#endif
+  
         if(!pv.line_buffer_flag)
         {
             fflush((FILE *)data->dumpd);

--
|*      Jim Hoagland, Associate Researcher, Silicon Defense      *|
|*            --- Silicon Defense: IDS Solutions ---             *|
|*  hoagland () SiliconDefense com, http://www.silicondefense.com/  *|
|*   Voice: (530) 756-7317                 Fax: (530) 756-7297   *|

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users