[Snort-devel] Repost of previous msg

Paul Cardon paul at ...186...
Sat Jan 13 10:40:15 EST 2001


Jarmo Järvenpää wrote:
> 
> Hmm, I need to be more specific - I _will_ receive the popup message on
> my NT workstation, but the information in the popup is incorrect.
> 
> And to be more specific, the destination ip is the same than the
> originating ip, even though it's originated from somewhere else.
> 
> And if I look to logfiles created by snort, it's correct there. So only
> the popup is incorrect.

Sounded like an inet_ntoa misusage and it was.  These keep creeping into
the plugins so everybody keep in mind that it uses a static buffer that
is overwritten each time it is called.  The patch is attached for 1.7
and current CVS.

-paul
-------------- next part --------------
--- spo_alert_smb.c.orig	Tue Jan  2 02:03:02 2001
+++ spo_alert_smb.c	Sat Jan 13 10:29:47 2001
@@ -162,6 +162,8 @@
     char *tempmsg;
     char tempwork[STD_BUF];
     char timestamp[23];
+    char sip[16];
+    char dip[16];
     int msg_str_size;
     SpoAlertSmbData *data = (SpoAlertSmbData *)arg;
 
@@ -187,15 +189,17 @@
     {
         if(p != NULL)
         {
+            strncpy(sip, inet_ntoa(p->iph->ip_src), 16);
+            strncpy(dip, inet_ntoa(p->iph->ip_dst), 16);
             if(p->frag_flag || p->iph->ip_proto)
             {
                 /* write the alert message into the buffer */
-                sprintf(tempmsg, "SNORT ALERT - Possible Network Attack or Probe:\n [**] %s [**]\n%s %s->%s", msg, timestamp, inet_ntoa(p->iph->ip_src), inet_ntoa(p->iph->ip_dst));
+                sprintf(tempmsg, "SNORT ALERT - Possible Network Attack or Probe:\n [**] %s [**]\n%s %s->%s", msg, timestamp, sip, dip);
             }
             else
             {
                 /* write the alert message into the buffer */
-                sprintf(tempmsg, "SNORT ALERT - Possible Network Attack or Probe:\n [**] %s [**]\n%s %s:%d->%s:%d", msg, timestamp, inet_ntoa(p->iph->ip_src), p-> sp, inet_ntoa(p->iph->ip_dst), p->dp);
+                sprintf(tempmsg, "SNORT ALERT - Possible Network Attack or Probe:\n [**] %s [**]\n%s %s:%d->%s:%d", msg, timestamp, sip, p->sp, dip, p->dp);
             }
         }
         else


More information about the Snort-devel mailing list