[Snort-devel] preprocessor oddity

Fyodor fygrave at ...1...
Thu Jan 4 16:11:15 EST 2001


On Thu, Jan 04, 2001 at 01:59:54PM -0600, Chris Green wrote:
> I'm playing with spp_ today and this is what my toy function is at the
> moment is:
> 
> void PreprocFlowstat(Packet *p)
> {
>     if(p->iph == NULL) return;
>     if(p->iph->ip_proto != IPPROTO_TCP) return;

make it:

if (p->iph == NULL || p->iph->ip_proto != IPPROTO_TCP || p->tcph == NULL) return;

iph/tcph pointer will be null if any error occured while parsing out
tcp header (short header, maliformed fields, etc)

>     if(p->dp == 21) {
> 	fprintf(stderr, "FTP Traffic %s -> %s Dsize: %d\n",
> 		inet_ntoa(p->iph->ip_src),
> 		inet_ntoa(p->iph->ip_dst),
> 		p->dsize);
>     }
> }
> 
> The trouble I get is
> 
> FTP Traffic SRC -> SRC Dsize: 0
> FTP Traffic SRC -> SRC Dsize: 0
> FTP Traffic SRC -> SRC Dsize: 0
> FTP Traffic SRC -> SRC Dsize: 0
> 
> Where SRC is the source ip. At first, I thought I might have a weird
> broken pcap on linux so I then went to openbsd and had the same
> behavior.

inet_ntoa is not re-enterent function. it uses single static buffer, that's why
you get the same string printed. (arguments are pushed into the stack for
fprintf starting from the last. Make some static buffers in your routine and
bcopy or stncpy ascii representation of ascii addresses into it. or print addresses
as: .. %d.%d.%d.%d", *((unsigned char *)&ip->iph->ip_src)&0xff, *((unsigned char *)&ip->iph->ip_src + 1)&0xff,
*((unsigned char *)&ip->iph->ip_src + 2)&0xff, *((unsigned char *)&ip->iph->ip_src + 3)&0xff);

 or something.. :-) (looks ugly, eh? have an easier way? :))

 

-- 
http://www.notlsd.net
PGP fingerprint = 56DD 1511 DDDA 56D7 99C7  B288 5CE5 A713 0969 A4D1




More information about the Snort-devel mailing list