Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Again snort and unixsocket

From: Fyodor <fygrave () tigerteam net>
Date: Mon, 26 Nov 2001 07:46:17 +0700
On Sun, Nov 25, 2001 at 10:47:02PM +0100, TSauter () gmx net wrote:


Hello snort-users,

first, thanks for all replies to my previous post. After some probs and
manuals,
I've got now the following code:

<snip>
        Alertpkt alert;
      while((connfd = recvfrom(sockfd, &alert, sizeof(alert), 0,
              (struct sockaddr *) &adresse, (socklen_t *) &adrlen)) > 0)
      {
              Packet *p;
              p = (void *)&alert.pkt;

replace this with:
        if (!(alert.val & NOPACKET_STRUCT)) {
            if ((p = calloc(1, sizeof(Packet))) == NULL) {
                perror("calloc");
                exit(1);
            }

            p->pkt = alert.pkt;
            p->pkth = alert.pkth;
            if (alert.dlthdr) p->eh = alert.pkt + alert.dlthdr;
            if (alert.nethdr) p->iph = alert.pkt + alert.nethdr;
            if (alert.transhdr) {
                switch(p->iph->ip_proto) {
                    case IPPROTO_TCP:
                        ip->tcph = alert.pkt + alert.transhdr;
                        break;
                    case IPPROTO_UDP:
                        ip->udph = alert.pkt + alert.transhdr;
                        break;
                    case IPPROTO_ICMP:
                        ip->icmph = alert.pkt + alert.transhdr;
                        break;
                    default:
                        printf("WTF!\n");
                }
            if (alert.data) p->data = alert.pkt + alert.data;
            
            /* now do whatever you want with these packet structures */
        } /* if (!NOPACKET_STRUCT) */


              printf("%s [%d]\n", alert.alertmsg, alert.event.event_id);
              printf("%d->%d\n", p->sp, p->dp);


        if( p->iph)  {
            printf("from: %s ", inet_ntoa(p->iph-ip_src));
            printf("to: %s\n", inet_ntoa(p->iph-ip_dst));
        }
etc..


              fflush(NULL);
      }
</snip>

infos like ip-addresses or ports. I think all infos should stored in
"alert.pkt", with is simply an pointer to a Packet-structur (decode.h). But how can I


No, just pure packet captured off the wire + offsets to relevant data
structures are stored. You can't store Packet structure in it, cuz
packet structure has lots of pointers to the data located outside of the
packet structure. So I had to use offsets instead. (and recalc. pointers
in the client code).


hope it helps,
 -Fyodor

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: