Snort mailing list archives

Previous By Date Next
Previous By Thread Next

snort-flood detection preprocessor

From: Cearns Angela <acearns () yahoo com>
Date: Fri, 2 Aug 2002 15:25:03 -0700 (PDT)
hello group,

  I sent this mail to the devel group also.

  I am new to snort. I am working on writing a generic
patch for flood detection. i want this to be
implemented as a preprocessor plugin( i think this is
the right way for flood detection). i am trying to
read the packets from the preproc function i
registered for the module. on getting the packet i am
trying to see the source and destination address. for
some strange reason the destination and source address
seem to be the same. i am clueless as why this is
happening. can u please provide me with the necessary
information

attached below is a small piece of code along with
output and testing method conducted.
Thanks,
Ang
---------------------------------------

void FloodPreprocFunction(Packet * p)
{

    /* Only do processing on IP Packets */
    if(p->iph == NULL)
    {
        return;
    }



    /*
     * Here we check if it is a protocol we are
watching and if it is a
     * destination we are watching.  If either fails,
we return abruptly.
     */
    switch(p->iph->ip_proto)
    {
        case IPPROTO_TCP:
            if(p->tcph == NULL)
#ifdef DEBUG
            printf("spp_flood: Got TCP pkt\n");
#endif
            break;

        case IPPROTO_UDP:
#ifdef DEBUG
            printf("spp_flood: Got UDP pkt\n");
#endif
            break;

        case IPPROTO_ICMP:
        printf("source address is %s destination is
%s\n", inet_ntoa(p->iph->ip_src),
inet_ntoa(p->iph->ip_dst));
#ifdef DEBUG
            printf("spp_flood: Got ICMP pkt\n");
#endif
            scanType = sICMP;

            break;

        default:
            /* The packet isn't a protocol we watch,
so get out of here. */
            return;         /*** RETURN ***/
            break;
    }

 }


void SetupFlood(void)
{
    RegisterPreprocessor("flood", FloodInit);
}


void FloodInit(u_char * args)
{
  /* read the flood arguments from the config file */
  /* currently borrowed it from spp_portscan.c */
   ParseFloodArgs(args);
   
   AddFuncToPreprocList(FloodPreprocFunction);
}


Test
----
ping -f -c 4 abc.cs.edu

abc.cs.edu has ip <a.b.c.d>
attack host has ip <p.q.r.s>

output
-------
Version 1.8.6 (Build 105)
By Martin Roesch (roesch () sourcefire com,
www.snort.org)
source address is a.b.c.d destination is a.b.c.d
source address is p.q.r.s destination is p.q.r.s
source address is a.b.c.d destination is a.b.c.d
source address is p.q.r.s destination is p.q.r.s
source address is a.b.c.d destination is a.b.c.d
source address is p.q.r.s destination is p.q.r.s
source address is a.b.c.d destination is a.b.c.d
source address is p.q.r.s destination is p.q.r.s




__________________________________________________
Do You Yahoo!?
Yahoo! Health - Feel better, live better
http://health.yahoo.com


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: