[Snort-devel] Alert File/spp_portscan output inconsistency

Paul Ritchey pritchey at ...278...
Fri Feb 16 11:16:36 EST 2001


Hi All:

While doing something work related stuff with the alerts file (using full alert mode), I discovered a small inconsistency in the way normal alerts (tcp, udp and icmp) are written as compared to alerts from the spp_portscan plug-in.

For normal alerts, there is a blank line separating them.  This is not the case for scan alerts.  Scan alerts are written with no blank line separating them from the next alert in the file.

Examining the source code (log.c, specifically AlertFull) revealed that during the process of writing the alert out,  the date stamp is written with no trailing '\n'.  For instances where a packet is passed to be printed out, additional information is printed for this line and then the '\n' is added.  For each additional line from the packet to be printed, they all terminate with a '\n'.  After everything has been printed, a final '\n' is printed using an 'fputc' call which either puts a blank line between normal alerts where packet information was output, or puts the missing '\n' on immediately after the time stamp (not resulting in a blank line).

In order to make the alert file more consistent, can an additional '\n' be added in cases where no packet info is output so the blank line is created?

I propose slightly altering the following 'if' statement (condensed for readibility) such as it appears in 'AlertFull' in log.c:

	if (p)
	{
		.........
	}
	fputc('\n', file);

To the following:

	if (p)
	{
		...........
		fputc('\n', file);
	} else {
		fputc('\n\n', file);
	}

Note the movement of the 'fputc' from outside the 'if' statement to inside the statement, prior to the 'else' clause, then adding on an 'else' clause that outputs a double '\n'.

I do not know if this alteration needs to be made anywhere else.......

This issue is with Snort version 1.6.3 patch 2.  I have examined the source code from v1.7 in CVS and it appears the same......

Thanks!
Paul







More information about the Snort-devel mailing list