[Snort-devel] spp_portscan logging patch

James Hoagland hoagland at ...60...
Tue Dec 5 14:07:50 EST 2000


At 12:25 PM +0100 12/5/00, Erich Meier wrote:
>Hi!
>
>Here is a patch to spp_portscan.c to correct the alert and log functions.
>Without the patch, the subsystem logs the current packet which is largely
>misleading.

Oh wow!  When did the packet start getting sent with the portscan 
messages?  That the packet is getting logged causes SnortSnarf to 
complain about the other extra lines, since it is only expecting the 
short form produced with NULL as the first argument.  The patch 
should fix that.

-- Jim

>
>-----
>Index: spp_portscan.c
>===================================================================
>RCS file: /cvsroot/snort/snort/spp_portscan.c,v
>retrieving revision 1.18
>diff -r1.18 spp_portscan.c
>933,934c933,934
><   CallAlertFuncs(p, logMessage, NULL);
><   CallLogFuncs(p, logMessage, NULL);
>---
>>    CallAlertFuncs(NULL, logMessage, NULL);
>>    CallLogFuncs(NULL, logMessage, NULL);
>958,959c958,959
><    CallAlertFuncs(p, logMessage, NULL);
><    CallLogFuncs(p, logMessage, NULL);
>---
>>     CallAlertFuncs(NULL, logMessage, NULL);
>>     CallLogFuncs(NULL, logMessage, NULL);
>-----
>
>Erich
>_______________________________________________
>Snort-devel mailing list
>Snort-devel at lists.sourceforge.net
>http://lists.sourceforge.net/mailman/listinfo/snort-devel

-- 
|*   Jim Hoagland, Associate Researcher, Silicon Defense    *|
|*               hoagland at ...60...                *|
|*              http://www.silicondefense.com/              *|
|*  Voice: (707) 445-4355 x13          Fax: (707) 445-4222  *|



More information about the Snort-devel mailing list