[Snort-devel] spp_portscan and its logging stuff

Steve Halligan agent33 at ...269...
Thu Apr 26 15:42:03 EDT 2001


Let me retract this...something ain't right.  I'll look into it and get back
to ya :)

> 
> Ok, I got kinda fed up with the portscan logs to database 
> having all of the
> info in the msg field.  So I asked myself--"Self, what other 
> info would you
> like to see filled out?"  Basically, I would like to see the 
> source ip in
> the source ip field.  The only way I figured to get it in 
> there was to grab
> the current packet churning thru the preprocessor and put it thru
> CallAlertFunc along with the message.  This way when the 
> portscan starts,
> when AlertIntermediateInfo happens and when the portscan 
> stops, a one packet
> snapshot of the scan is put into the log (be it database, 
> syslog, whatever).
> Some may hate the extra cruft being logged, but I kinda like it.  See
> following hack to spp_portscan.c.
> 
> -steve
> 
> 
> Index: spp_portscan.c
> ===================================================================
> RCS file: /cvsroot/snort/snort/spp_portscan.c,v
> retrieving revision 1.24
> diff -r1.24 spp_portscan.c
> 175c175
> < void AlertIntermediateInfo(SourceInfo *);
> ---
> > void AlertIntermediateInfo(SourceInfo *, Packet *);
> 953c953
> <                 CallAlertFuncs(NULL , logMessage, NULL);
> ---
> >                 CallAlertFuncs(p , logMessage, NULL);
> 978c978
> <                         CallAlertFuncs(NULL , logMessage, NULL);
> ---
> >                         CallAlertFuncs(p , logMessage, NULL);
> 988c988
> <                             AlertIntermediateInfo(currentSource);
> ---
> >                             AlertIntermediateInfo(currentSource, p);
> 1502c1502
> < void AlertIntermediateInfo(SourceInfo * currentSource)
> ---
> > void AlertIntermediateInfo(SourceInfo * currentSource, Packet * p)
> 1511c1511
> <     CallAlertFuncs(NULL, logMessage, NULL);
> ---
> >     CallAlertFuncs(p, logMessage, NULL);
> 
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> http://lists.sourceforge.net/lists/listinfo/snort-devel
> 




More information about the Snort-devel mailing list