[Snort-devel] RE: Snort XML Plug-in: send XML to servlet

John Zeng johnz at ...343...
Tue May 1 13:30:37 EDT 2001


Just checked the CVS.  These files are still NOT committed yet.  So, I send
them again.

John

PS. The diff:

------------------------------------------------------------------------

cvs diff spo_xml.c (in directory C:\Download\snort\snort_cvs\snort\)
Index: spo_xml.c
===================================================================
RCS file: /cvsroot/snort/snort/spo_xml.c,v
retrieving revision 1.24
diff -r1.24 spo_xml.c
795c795,799
<     bcopy( d->host_ipaddr->h_addr,(char*)&remote.sin_addr,
d->host_ipaddr->h_length);
---
> #ifdef WIN32
>     bcopy( (char*)&remote.sin_addr, d->host_ipaddr->h_addr,
d->host_ipaddr->h_length);
> #else
>     bcopy( d->host_ipaddr->h_addr, (char*)&remote.sin_addr,
d->host_ipaddr->h_length);
> #endif
950a955,957
> #ifdef WIN32
>         err = send(d->sk, output, strlen(output), 0);
> #else
951a959
> #endif
955a964,966
> #ifdef WIN32
>         err = send(d->sk, report, strlen(report), 0);
> #else
956a968
> #endif
970a983,985
> #ifdef WIN32
>         err = recv(d->sk, rbuf, 4096, 0);
> #else
971a987
> #endif

------------------------------------------------------------------------

cvs diff spo_xml.h (in directory C:\Download\snort\snort_cvs\snort\)
Index: spo_xml.h
===================================================================
RCS file: /cvsroot/snort/snort/spo_xml.h,v
retrieving revision 1.11
diff -r1.11 spo_xml.h
41,42c41,42
< #define SNORTML_DECLARATION "<?xml version=\"1.0\" encoding=\"UTF-8\">\n"
< #define SNORTML_DOCTYPE "<!DOCTYPE snort-message-version-0.1 PUBLIC>\n"
---
> #define SNORTML_DECLARATION "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n"
> #define SNORTML_DOCTYPE "<!DOCTYPE snort-message-version-0.1>\n"


------------------------------------------------------------------------

-----Original Message-----
From: roman at ...49... [mailto:roman at ...49...]
Sent: Friday, April 27, 2001 9:51 AM
To: John Zeng
Cc: roman at ...49...
Subject: RE: [Snort-devel] RE: Snort XML Plug-in: send XML to servlet


John,

Fantastic!  I will review the code and make sure it gets commited. 

In reference to what is the submission process for code, typically 
this is done by posting diffs to the list, and "someone" will
then commit them after review.

cheers,
Roman

> Roman,
> 
> I found the bugs and fixed them.  Now it works in my machine.  But I have
no
> way to put my bug fix back to CVS.  So, I am sure you can help me to do
so.
> Please review attached files and put them back to CVS so that next release
> (1.8?) will not have the same bugs.
> 
> Please do a diff and you will find the code changes impact Windows version
> only.  The changes for .h file is only for generating well-formed XML.
The
> changes for .c file is real bug fix: WinSock uses send/recv instead of
> write/read for socket operations.
> 
> Thanks
> 
> John
> 
> PS. Can you tell me what is the normal way to put bug fix back to snort
CVS?
> 
> 
> 
> -----Original Message-----
> From: roman at ...49... [mailto:roman at ...49...]
> Sent: Friday, April 27, 2001 4:08 AM
> To: John Zeng; mike at ...27...
> Cc: roman at ...49...
> Subject: RE: [Snort-devel] RE: Snort XML Plug-in: send XML to servlet
> 
> 
> John,
> 
> > xml_plugin:  #1 :
> >  could not open connection to localhost:8080.
> > (connect - error # 9)
> 
> There is an error in creating the TCP socket to your HTTP
> server; specifically it is the connect() that is failing.  From
> my Linux (I realized you are running Win2K) man page, error #9
> means: 
> 
> "EBADF - The file descriptor is not a valid index in the descriptor table"

> 
> I tried to simulate various error conditions on some Unix flavors
> (just Linux, OpenBSD, Solaris) but could not reproduce this
> one. My gut feel is that this is a related to some incompatability with
> the Windows networking/sockets.  I _never_ tested any of this
> code under Windows, nor am I proficient in specifics of Windows
> socket programming.
> 
> My understanding is that Unix EBADF is equivilant to 
> WSAEBADF in the Winsock world.  From some browsing, a common
> cause of this error message when porting Unix->Windows
> is to make assumptions about the possible values of this 
> handle.  However, I don't see any dangerous ones in the code.
> 
> MIKE (aka. Snort under Windows guru): Have you ever looked 
> at this code?  Any insight?
> 
> cheers,
> Roman
> 
> > Hi, Roman,
> > 
> > Thanks for response.  I got error when xml_plugin tries to send XML to
my
> > web server.  Following is the log and please look at it.  If you have
any
> > clue, just let me know.  I am using Windows 2000. I already changed
bcopy
> to
> > memcpy, write to send, read to recv.  But I still get this problem.
> Thanks
> > 
> > John
> > 
> > 
> > 
> >         --== Initializing Snort ==--
> > 
> > Initializing Network Interface
> > \Device\Packet_{32F708CE-FBAB-4743-81BB-0E5B059B7
> > C8A}
> > Decoding Ethernet on interface
> > \Device\Packet_{32F708CE-FBAB-4743-81BB-0E5B059B7
> > C8A}
> > Initializing Preprocessors!
> > Initializing Plug-ins!
> > Initializating Output Plugins!
> > 
> > +++++++++++++++++++++++++++++++++++++++++++++++++++
> > Initializing rule chains...
> > Using LOCAL time
> > xml_plugin: Logging to /arcsight/servlet/AgentManager
> > xml_plugin: Using http protocol
> > xml_plugin: Host set to localhost
> > xml_plugin: Port set to 8080
> > xml_plugin: Using the "log" facility
> > 634 Snort rules read...
> > 634 Option Chains linked into 117 Chain Headers
> > 0 Dynamic rules
> > +++++++++++++++++++++++++++++++++++++++++++++++++++
> > 
> > Rule application order: ->activation->dynamic->alert->pass->log
> > 
> >         --== Initialization Complete ==--
> > 
> > -*> Snort! <*-
> > Version 1.7-WIN32
> > By Martin Roesch (roesch at ...16..., www.snort.org)
> > WIN32 Port By Michael Davis (mike at ...27...,
www.datanerds.net/~mike)
> > xml_plugin:  #1 : could not open connection to localhost:8080.(connect -
> > error #
> > 9)
> > 
> > 
> > 
> > 
> > 
> > -----Original Message-----
> > From: roman at ...49... [mailto:roman at ...49...]
> > Sent: Tuesday, April 24, 2001 4:20 AM
> > To: John Zeng
> > Cc: snort-devel at lists.sourceforge.net; jed at ...7...; roman at ...49...
> > Subject: Re: [Snort-devel] RE: Snort XML Plug-in: send XML to servlet
> > 
> > 
> > John,
> > 
> > Using servlets should not present any problems to the XML 
> > plugin.  Essentially, Snort will attempt to make an HTTP POST
> > request to the web server.  The target URI of the POST will
> > be whatever is configured in the 'file' parameter; that is to say,
> > that string will be put directly into the raw HTTP POST request.
> > Thus, you can have it invoke a servlet, JSP, etc.  The "file"
> > parameter is synonynous to the HTML <FORM> attribute
> > "ACTION="
> > 
> > cheers,
> > Roman
> > 
> > > I forget to mention that I am using version 1.7 under windows
platform.
> > > 
> > > >  -----Original Message-----
> > > > From: 	John Zeng  
> > > > Sent:	Monday, April 23, 2001 7:42 PM
> > > > To:	'snort-devel at lists.sourceforge.net'
> > > > Subject:	Snort XML Plug-in: send XML to servlet
> > > > 
> > > > Hi, 
> > > > 
> > > > I am going to use Snort XML Plug-in to send snort alert to my web
> > server.
> > > > Currently I have a servlet to receive these alerts.
> > > > I read the document of Snort XML plug-in installation.  I know the
XML
> > can
> > > > be sent to cgi ( by setting 'file' parameter).  But I didn't find
any
> > > > place to set my servlet name.  
> > > > Can anybody throw me a light to help me setting up Snort XML plus-in
> so
> > > > that I can receive these XML from my servlet?
> > > > Thanks in advance!
> > > > 
> > > > John
> > > > 
> > > 
> > > _______________________________________________
> > > Snort-devel mailing list
> > > Snort-devel at lists.sourceforge.net
> > > http://lists.sourceforge.net/lists/listinfo/snort-devel
> > > 
> > 
> > 
> > 
> > ---------------------------------------------
> > This message was sent using Voicenet WebMail.
> >       http://www.voicenet.com/webmail/
> > 
> > 
> > 
> > _______________________________________________
> > Snort-devel mailing list
> > Snort-devel at lists.sourceforge.net
> > http://lists.sourceforge.net/lists/listinfo/snort-devel
> > 
> 
> 
> 
> ---------------------------------------------
> This message was sent using Voicenet WebMail.
>       http://www.voicenet.com/webmail/
> 
> 
> 



---------------------------------------------
This message was sent using Voicenet WebMail.
      http://www.voicenet.com/webmail/


-------------- next part --------------
A non-text attachment was scrubbed...
Name: spo_xml.c
Type: application/octet-stream
Size: 51337 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20010501/c7cdb086/attachment.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: spo_xml.h
Type: application/octet-stream
Size: 6247 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20010501/c7cdb086/attachment-0001.obj>


More information about the Snort-devel mailing list