[Snort-devel] spp_portscan and its logging stuff

Steve Halligan agent33 at ...269...
Thu Apr 26 15:32:52 EDT 2001

Ok, I got kinda fed up with the portscan logs to database having all of the
info in the msg field.  So I asked myself--"Self, what other info would you
like to see filled out?"  Basically, I would like to see the source ip in
the source ip field.  The only way I figured to get it in there was to grab
the current packet churning thru the preprocessor and put it thru
CallAlertFunc along with the message.  This way when the portscan starts,
when AlertIntermediateInfo happens and when the portscan stops, a one packet
snapshot of the scan is put into the log (be it database, syslog, whatever).
Some may hate the extra cruft being logged, but I kinda like it.  See
following hack to spp_portscan.c.


Index: spp_portscan.c
RCS file: /cvsroot/snort/snort/spp_portscan.c,v
retrieving revision 1.24
diff -r1.24 spp_portscan.c
< void AlertIntermediateInfo(SourceInfo *);
> void AlertIntermediateInfo(SourceInfo *, Packet *);
<                 CallAlertFuncs(NULL , logMessage, NULL);
>                 CallAlertFuncs(p , logMessage, NULL);
<                         CallAlertFuncs(NULL , logMessage, NULL);
>                         CallAlertFuncs(p , logMessage, NULL);
<                             AlertIntermediateInfo(currentSource);
>                             AlertIntermediateInfo(currentSource, p);
< void AlertIntermediateInfo(SourceInfo * currentSource)
> void AlertIntermediateInfo(SourceInfo * currentSource, Packet * p)
<     CallAlertFuncs(NULL, logMessage, NULL);
>     CallAlertFuncs(p, logMessage, NULL);

More information about the Snort-devel mailing list