[Snort-devel] Re: [Snort-users] Multiple IP address matching

James Hoagland hoagland at ...60...
Thu Sep 21 14:25:08 EDT 2000


[hopping lists here...]

At 1:30 AM -0700 9/21/00, Dragos Ruiu wrote:
>[snip]
>But the good news is that this is such an oft requested task
>that it's on the development todo list to change the address
>type to a list of addresses.  I've been looking over how to
>implement this, and if Marty or Fyodor don't tackle it before
>I do, I plan on upgrading my snorters with this capability within
>the next few releases because I need this feature too.
>
>I would also like to convert the port types to ranges too...
>
>cheers,
>--dr

I have some code that is being used in Spade that might help.  It 
constructs a list of networks (IP and netmask), which later gets 
checked.  These are excerpts from spp_anomsensor.[ch] (originally 
src/anomsensor_plug.[ch]):


typedef struct _ll_net {
	u_long netaddr;
	u_long netmask;
	struct _ll_net *next;
} ll_net;

...

ll_net *create_netlist(char *nets[],int count);

...

// create a linked list of network specifications (address and netmask) from
//  a array of strings representing an CIDR network spec or an IP address
ll_net *create_netlist(char *nets[],int count) {
	ll_net *prev=NULL,*head=NULL,*cur=NULL;
	int i;
     char **toks;
     int num_toks;
     int nmask;
     struct in_addr net;

	for (i=0; i < count; i++) {
		cur= (ll_net *)malloc(sizeof(ll_net));
		cur->next= NULL;
		if (i > 0) {
			prev->next= cur;
		} else {
			head= cur;
		}

		// this code based strongly on GenHomenet in snort.c
		/* break out the CIDR notation from the IP address */
	    toks = mSplit(nets[i],"/",2,&num_toks,0);

         /* convert the CIDR notation into a real live netmask */
	    if (num_toks < 2) {
	   	nmask= 32;
	    } else {
	   	nmask = atoi(toks[1]);
	    }

         if ((nmask >= 0) && (nmask <= 32))
         {
             cur->netmask = netmasks[nmask];
         }
         else
         {
             FatalError("ERROR: Bad CIDR size [%d], 1 to 32 please!\n",
                        nmask);
         }

	    /* since PC's store things the "wrong" way, shuffle the bytes into
	       the right order */
#ifndef WORDS_BIGENDIAN
	    cur->netmask = htonl(cur->netmask);
#endif

	    /* convert the IP addr into its 32-bit value */
	    if ((net.s_addr = inet_addr(toks[0])) ==-1)
	    {
	        FatalError("ERROR: network (%s) didn't translate with 
inet_addr, must be poorly formed\n",
	                   toks[0]);
	    }
	    else
	    {
	        cur->netaddr = ((u_long)net.s_addr & cur->netmask);
	    }

	    free(toks);

		prev= cur;
	}

	return head;
}


Regards,

   Jim
-- 
|*   Jim Hoagland, Associate Researcher, Silicon Defense    *|
|*               hoagland at ...60...                *|
|*  Voice: (707) 445-4355 x13          Fax: (707) 445-4222  *|



More information about the Snort-devel mailing list