Snort mailing list archives
Re: configure snort to drop payloads
From: James Hoagland <hoagland () SiliconDefense com>
Date: Wed, 17 Apr 2002 15:26:58 -0700
At 6:07 AM -0800 4/2/02, Lyle Sudin wrote:
Is there an easy way to run snort in packet sniffing mode which will be able to keep up with a 100MB connection, log in tcpdump format, and only log the packet headers? The -b switch seems to keep up with the traffic and not drop packets but includes the payload in addition to the headers. I need to do all the parsing before writing to disk (both privacy and disk space concerns) so I am looking for either a switch I am missing or code to edit.
Lyle,See the diff below. I haven't so much as tried to compile this (let alone be sure it works; so use at your own risk) but this might meet your requirement for *no* logging of payload data. Basically it copies just the header of the packet into a buffer and gives that to libpcap for writing. It also lies to pcap about the capture length, saying it is just the length of the header. Right now, this is enabled by a #define; it wouldn't be hard to add it as a command line switch.
Mostly due to needing to make a copy of the header, there is a small performance hit. If this matters, you can post-process your tcpdump file with this option enabled, rather than running with it originally. (I am making a conservative assumption about pcap in making a copy of the header.)
Corrections to this code would be welcome. Hope this helps, Jim --- spo_log_tcpdump.c.orig Wed Apr 17 13:44:03 2002 +++ spo_log_tcpdump.c Wed Apr 17 15:25:55 2002 @@ -38,6 +38,8 @@ * First logger... * */ + +#define DONT_LOG_PAYLOAD 1 /* your output plugin header file goes here */ #include "spo_log_tcpdump.h" @@ -170,6 +172,14 @@ if(p) { +#if DONT_LOG_PAYLOAD + u_int8_t sanitized_pkt[68]; + u_int16_t real_caplen= p->pkth->caplen <= 68 ? + p->pkth->caplen : 68;+ + p->pkth->caplen-= p->dsize; +#endif + if(pv.obfuscation_flag)
{ if(p->iph != NULL) @@ -181,9 +191,23 @@ data->log_written = 1; +#if DONT_LOG_PAYLOAD + /* copy just the header over */ + if (p->pkt != NULL) { /* in case we get here w/o a pkt */ + memcpy(sanitized_pkt,p->pkt,p->pkth->caplen); + pcap_dump((u_char *)data->dumpd,p->pkth,sanitized_pkt); + } else { + /* sizeof(struct pcap_pkthdr) = 16 bytes */ + pcap_dump((u_char *)data->dumpd,p->pkth,NULL); + } + + + p->pkth->caplen= real_caplen; /* restore p->pkth */ +#else /* sizeof(struct pcap_pkthdr) = 16 bytes */ pcap_dump((u_char *)data->dumpd,p->pkth,p->pkt); - +#endif+ if(!pv.line_buffer_flag)
{ fflush((FILE *)data->dumpd); -- |* Jim Hoagland, Associate Researcher, Silicon Defense *| |* --- Silicon Defense: IDS Solutions --- *| |* hoagland () SiliconDefense com, http://www.silicondefense.com/ *| |* Voice: (530) 756-7317 Fax: (530) 756-7297 *| _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- configure snort to drop payloads Lyle Sudin (Apr 14)
- Re: configure snort to drop payloads Erek Adams (Apr 14)
- Re: configure snort to drop payloads Lyle Sudin (Apr 16)
- Re: configure snort to drop payloads Erek Adams (Apr 16)
- Re: configure snort to drop payloads Lyle Sudin (Apr 17)
- Re: configure snort to drop payloads Erek Adams (Apr 17)
- Re: configure snort to drop payloads Lyle Sudin (Apr 16)
- Re: configure snort to drop payloads Erek Adams (Apr 14)
- Re: configure snort to drop payloads Dr. Richard W. Tibbs (Apr 18)
- Re: configure snort to drop payloads Chris Keladis (Apr 18)
- Re: configure snort to drop payloads Alex Pinheiro Machado Rodrigues (Apr 18)
- Re: Re: configure snort to drop payloads Dr. Richard W. Tibbs (Apr 18)
- Snort sendme email Carlos Augusto Silva (Apr 18)
- Re: Snort sendme email Erek Adams (Apr 18)