patch for flow portscan preprocessor's deficient logging

[Holt Sorenson <hso () nosneros net>]

The flow portscan preprocessor that is included with Snort v2.1.2 logs
messages that are inconsistent with the logging format of Snort
itself and other preprocessors that come with Snort.

The issue is discussed in this thread:
http://msgs.securepoint.com/cgi-bin/get/snort-0403/63.html

The attached patch remedies this problem by passing the orig_packet
pointer to the alert functions. It also adds some debugging messages
that can be enabled when the SNORT_DEBUG environment variable
includes the FLOWSYS constant and Snort has been compiled with debugging
enabled.

The following is an example of a log message created prior to the patch:

Jan 01 00:00:00 hostname snort: Portscan detected from 10.0.0.1 Talker(fixed: 5 sliding: 31) Scanner(fixed: 0 sliding: 
0)


The following are a examples of log messages created after the patch has
been applied:

Jan 01 00:00:00 hostname snort: [121:3:1] (flow_ps) Portscan detected from 10.0.0.1 Talker(fixed: 20 sliding: 15) 
Scanner(fixed: 0 sliding: 0) <eth0> {TCP} 10.0.0.1:38896 -> 10.1.0.1:181
Jan 01 00:00:00 hostname snort: [121:4:1] (flow_ps) Portscan detected from 10.0.0.1 Talker(fixed: 15 sliding: 30) 
Scanner(fixed: 0 sliding: 0) <eth0> {TCP} 10.0.0.1:36951 -> 10.1.0.1:788

Even though this patch is small, the usual amount of "somebody
else created this patch" security/reliability checks should be done.
As always, YMMV (Don't call me if it breaks everything). It carries
no warranty or guarantee, etc.....

-Holt

Attachment: flowps_properlogging.diff
Description: