Snort mailing list archives

Re: Re: configure snort to drop payloads

From: "Dr. Richard W. Tibbs" <ccamp () oakcitysolutions com>
Date: Thu, 18 Apr 2002 10:10:45 -0400

OK, Hogwash I am not familiar with.

Another solution comes to mind for the problem that (I guess it was)Lyle brought up.


Use the -A unsock option, and turn logging off .

Write a small socket program to extract just the headers, and write therest of the alert info plus any header or pcap info you like to a logfile of your choosing. The socket prog can determine the correct headerlength on a per packet basis, whereas -P option cannot.


Cheers. >RWT

Alex Pinheiro Machado Rodrigues wrote:

Try HogWash.
Alex
Brazil

----- Original Message -----From: "Dr. Richard W. Tibbs" <ccamp () oakcitysolutions com>

To: "James Hoagland" <hoagland () SiliconDefense com>
Cc: "Lyle Sudin" <lylesudin () yahoo com>; <Snort-users () lists sourceforge net>
Sent: Thursday, April 18, 2002 9:48 AM
Subject: Re: [Snort-users] configure snort to drop payloads


Hey, can you identify what .c in the snort distrib you are modifying below?
Thx.

James Hoagland wrote:

At 6:07 AM -0800 4/2/02, Lyle Sudin wrote:

Is there an easy way to run snort in packet sniffing
mode which will be able to keep up with a 100MB
connection, log in tcpdump format, and only log the
packet headers?

The -b switch seems to keep up with the traffic and
not drop packets but includes the payload in addition
to the headers.  I need to do all the parsing before
writing to disk (both privacy and disk space concerns)
so I am looking for either a switch I am missing or
code to edit.


Lyle,

See the diff below. I haven't so much as tried to compile this (letalone be sure it works; so use at your own risk) but this might meetyour requirement for *no* logging of payload data. Basically itcopies just the header of the packet into a buffer and gives that tolibpcap for writing. It also lies to pcap about the capture length,saying it is just the length of the header. Right now, this isenabled by a #define; it wouldn't be hard to add it as a command lineswitch.

Mostly due to needing to make a copy of the header, there is a smallperformance hit. If this matters, you can post-process your tcpdumpfile with this option enabled, rather than running with itoriginally. (I am making a conservative assumption about pcap inmaking a copy of the header.)


Corrections to this code would be welcome.

Hope this helps,

  Jim


--- spo_log_tcpdump.c.orig      Wed Apr 17 13:44:03 2002
+++ spo_log_tcpdump.c   Wed Apr 17 15:25:55 2002
@@ -38,6 +38,8 @@
 * First logger...
 *
 */
+
+#define DONT_LOG_PAYLOAD 1

/* your output plugin header file goes here */
#include "spo_log_tcpdump.h"
@@ -170,6 +172,14 @@

    if(p)
    {
+#if DONT_LOG_PAYLOAD
+        u_int8_t sanitized_pkt[68];
+        u_int16_t real_caplen= p->pkth->caplen <= 68 ?
+                                 p->pkth->caplen : 68;
+       +        p->pkth->caplen-= p->dsize;
+#endif       +                if(pv.obfuscation_flag)
        {
            if(p->iph != NULL)
@@ -181,9 +191,23 @@

        data->log_written = 1;

+#if DONT_LOG_PAYLOAD
+        /* copy just the header over */
+        if (p->pkt != NULL) { /* in case we get here w/o a pkt */
+            memcpy(sanitized_pkt,p->pkt,p->pkth->caplen);
+            pcap_dump((u_char *)data->dumpd,p->pkth,sanitized_pkt);
+        } else {
+            /* sizeof(struct pcap_pkthdr) = 16 bytes */
+            pcap_dump((u_char *)data->dumpd,p->pkth,NULL);
+        }
+
+
+        p->pkth->caplen= real_caplen; /* restore p->pkth */
+#else
        /* sizeof(struct pcap_pkthdr) = 16 bytes */
        pcap_dump((u_char *)data->dumpd,p->pkth,p->pkt);
-
+#endif
+           if(!pv.line_buffer_flag)
        {
            fflush((FILE *)data->dumpd);




_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

configure snort to drop payloads Lyle Sudin (Apr 14)
- Re: configure snort to drop payloads Erek Adams (Apr 14)
  - Re: configure snort to drop payloads Lyle Sudin (Apr 16)
    - Re: configure snort to drop payloads Erek Adams (Apr 16)
    - Re: configure snort to drop payloads Lyle Sudin (Apr 17)
    - Re: configure snort to drop payloads Erek Adams (Apr 17)
- Re: configure snort to drop payloads James Hoagland (Apr 17)
  - Re: configure snort to drop payloads Dr. Richard W. Tibbs (Apr 18)
    - Re: configure snort to drop payloads Chris Keladis (Apr 18)
    - Re: configure snort to drop payloads Alex Pinheiro Machado Rodrigues (Apr 18)
    - Re: Re: configure snort to drop payloads Dr. Richard W. Tibbs (Apr 18)
    - Snort sendme email Carlos Augusto Silva (Apr 18)
    - Re: Snort sendme email Erek Adams (Apr 18)
    - Re: configure snort to drop payloads James Hoagland (Apr 18)