Snort mailing list archives
Re: Incorrect IP Flags Values in database output.
From: beenph <beenph () gmail com>
Date: Wed, 17 Aug 2011 13:49:38 -0400
On Wed, Aug 17, 2011 at 10:25 AM, <kareem () khan net> wrote:
Just one last note to make sure that everyone underastands the problem. The problem is not with the schema of the database this time. The problem is with interpertation of the output of decode.c. The frag_flag element actually indicates that a packet is a frament, it does not store the ip fragmentation flags. The output plugin for the database then stuffs the frag_flag element into ip_flags in the database. So the wrong information is getting populated into the database field. Kareem
Everything that happen in decode is fine since all the information you would want is accessible p->rf = (uint8_t)((p->frag_offset & 0x8000) >> 15); p->df = (uint8_t)((p->frag_offset & 0x4000) >> 14); p->mf = (uint8_t)((p->frag_offset & 0x2000) >> 13); And ntohs(p->iph->ip_off) which is used to set value of p->frag_offset. Mabey you would like to modify spo_database to suit your needs and log ntohs(p->iph->ip_off); instead of p->frag_flag. I might be wrong here but what what russ mentionned previously is that all the main UI's using the schema are espected p->frag_flag value instead of ntohs(p->iph->ip_off). But if you want to use the native flag its there for you to plug in the code and use. -elz. ------------------------------------------------------------------------------ Get a FREE DOWNLOAD! and learn more about uberSVN rich system, user administration capabilities and model configuration. Take the hassle out of deploying and managing Subversion and the tools developers use with it. http://p.sf.net/sfu/wandisco-d2d-2 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Incorrect IP Flags Values in database output. kareem (Aug 15)
- Fwd: [Snort-users] Incorrect IP Flags Values in database output. Joel Esler (Aug 15)
- Re: Incorrect IP Flags Values in database output. Russ Combs (Aug 15)
- Re: Incorrect IP Flags Values in database output. Joel Esler (Aug 15)
- Re: Incorrect IP Flags Values in database output. kareem (Aug 15)
- Re: Incorrect IP Flags Values in database output. Joel Esler (Aug 15)
- Re: Incorrect IP Flags Values in database output. beenph (Aug 15)
- Re: Incorrect IP Flags Values in database output. kareem (Aug 17)
- Re: Incorrect IP Flags Values in database output. beenph (Aug 17)
- Re: Incorrect IP Flags Values in database output. Joel Esler (Aug 15)
- Re: Incorrect IP Flags Values in database output. waldo kitty (Aug 15)