[Snort-devel] Re: [Snort-users] alert.full strangeness

Fyodor fygrave at ...1...
Mon Apr 9 17:21:27 EDT 2001


> [**] spp_portscan: portscan status from 202.38.66.21: 8 connections across 8
> hosts: TCP(8), UDP(0) [**]
> 04/08/01-15:36:35.777164
> 
> [**] spp_portscan: End of portscan from 202.38.66.21: TOTAL time(0s) hosts(8)
> TCP(8) UDP(0) [**]
> 04/08/01-15:37:11.021805
> 
> [**] External ssh access attempt [**]
> 04/08/01-16:04:59.870590209.16.131.73:1023 -> 10.10.10.10:22
> TCP TTL:255 TOS:0x0 ID:33220 IpLen:20 DgmLen:44 DF
> ******S* Seq: 0xA4FE435E  Ack: 0x0  Win: 0x2238  TcpLen: 24
> TCP Options (1) => MSS: 1460
> 
> [**] External ssh access attempt [**]
> 04/08/01-16:05:03.894923209.16.131.73:1022 -> 10.10.10.10:22
> TCP TTL:255 TOS:0x0 ID:33244 IpLen:20 DgmLen:44 DF
> ******S* Seq: 0xA5064F02  Ack: 0x0  Win: 0x2238  TcpLen: 24
> TCP Options (1) => MSS: 1460
> 
> [**] External ssh access attempt [**]
> 04/08/01-16:05:07.831160209.16.131.73:1021 -> 10.10.10.10:22
> TCP TTL:255 TOS:0x0 ID:33267 IpLen:20 DgmLen:44 DF
> ******S* Seq: 0xA50DDEB2  Ack: 0x0  Win: 0x2238  TcpLen: 24
> TCP Options (1) => MSS: 1460
> 


Ehe.. snprintf issue it seems. TIMEBUF_SIZE is defined as 25 but
snprintf in ts_print() has following format:
"%02d/%02d/%02d-%02d:%02d:%02d.%06u "

2 + 1 + 2 + 1 + 2 + 1 + 2 + 1 + 2 + 1 + 2 + 1 + 6 + 1 = 25, probably the last
space 'doesnt fit' because \x0 byte has to be there as well... try following
patch for snort.c and see if it fixes the problem:

(do we really want to see 6 digits of miliseconds? :))


Index: snort.c
===================================================================
RCS file: /cvsroot/snort/snort/snort.c,v
retrieving revision 1.82
diff -u -r1.82 snort.c
--- snort.c	2001/03/28 13:24:09	1.82
+++ snort.c	2001/04/09 21:10:11
@@ -1973,7 +1973,7 @@
     if(pv.include_year)
     {
         (void) snprintf(timebuf, TIMEBUF_SIZE, 
-                        "%02d/%02d/%02d-%02d:%02d:%02d.%06u ", 
+                        "%02d/%02d/%02d-%02d:%02d:%02d.%05u ", 
                         lt->tm_mon + 1,
                         lt->tm_mday, lt->tm_year - 100, s / 3600, (s % 3600) / 60, 
                         s % 60, (u_int) tvp->tv_usec);
@@ -1981,7 +1981,7 @@
     else 
     {
         (void) snprintf(timebuf, TIMEBUF_SIZE,
-                        "%02d/%02d-%02d:%02d:%02d.%06u ", lt->tm_mon + 1,
+                        "%02d/%02d-%02d:%02d:%02d.%05u ", lt->tm_mon + 1,
                         lt->tm_mday, s / 3600, (s % 3600) / 60, s % 60,
                         (u_int) tvp->tv_usec);
     }




More information about the Snort-devel mailing list