[Snort-devel] preprocessor oddity

Martin Roesch roesch at ...48...
Thu Jan 4 15:12:45 EST 2001


The problem is with inet_ntoa().  When you call the function, it stores its
return value in a static memory location, so if you call it twice in the same
line it overwrites the static memory and the fprintf() parser gets two
pointers to the same piece of data that contains the data from the last call. 
In order to make it work properly, you need to do something like this:

char src_ip[16];
char dst_ip[16];

strncpy(src_ip, inet_ntoa(p->iph->ip_src), 16);
strncpy(dst_ip, inet_ntoa(p->iph->ip_dst), 16);

then put those in the fprintf statement.

    -Marty

Chris Green wrote:
> 
> I'm playing with spp_ today and this is what my toy function is at the
> moment is:
> 
> void PreprocFlowstat(Packet *p)
> {
>     if(p->iph == NULL) return;
>     if(p->iph->ip_proto != IPPROTO_TCP) return;
> 
>     if(p->dp == 21) {
>         fprintf(stderr, "FTP Traffic %s -> %s Dsize: %d\n",
>                 inet_ntoa(p->iph->ip_src),
>                 inet_ntoa(p->iph->ip_dst),
>                 p->dsize);
>     }
> }
> 
> The trouble I get is
> 
> FTP Traffic SRC -> SRC Dsize: 0
> FTP Traffic SRC -> SRC Dsize: 0
> FTP Traffic SRC -> SRC Dsize: 0
> FTP Traffic SRC -> SRC Dsize: 0
> 
> Where SRC is the source ip. At first, I thought I might have a weird
> broken pcap on linux so I then went to openbsd and had the same
> behavior.
> 
> I am ftping from the machine I am running snort on to the machine
> running the ftpd.  If I use the -v switch, the ips are written out
> correctly in the dump but not in my preproc function.
> --
> Chris Green <cmg at ...81...>
> 
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> http://lists.sourceforge.net/mailman/listinfo/snort-devel

-- 
Martin Roesch
roesch at ...48...
http://www.snort.org




More information about the Snort-devel mailing list