[Snort-devel] Re: 2 notes about spo_alert_smb under Win32

Martin Roesch roesch at ...402...
Mon Oct 1 15:03:03 EDT 2001


Thanks for the info, patched and committed.

     -Marty

Vladislav Goncharov wrote:
> 
> Hello.
> 
> Here is 2 notes about spo_alert_smb. Tested on Win2k server.
> 
> --- Note 1 ---
> 
> Problem:
> 
> Messenger window outputs only first line of message: "SNORT ALERT - Possible
> Network Attack or Probe:".
> 
> Reason:
> 
> system() strips message in command line after first '\n'.
> 
> Solution:
> 
> use:
> 
>                 snprintf(command_line, 2047,
>                         "net send %s %s", tempwork, tempmsg);
> 
>                 WinExec(command_line,SW_SHOWMINNOACTIVE);
> 
> instead of using:
> 
>                 snprintf(command_line, 2047,
>                         "start /min net send %s %s", tempwork, tempmsg);
> 
>                 system(command_line);
> 
> --- Note 2 ---
> 
> Problem:
> 
> Messenger window strips output message.
> 
> Reason:
> 
> Messenger window outputs only 128 characters of message.
> 
> Solution:
> 
> Do not output "SNORT ALERT ...". Do not output timestamp. Something like
> this:
> 
>         if(p != NULL)
>         {
>             strncpy(sip, inet_ntoa(p->iph->ip_src), 16);
>             strncpy(dip, inet_ntoa(p->iph->ip_dst), 16);
> 
>             if(p->frag_flag || p->iph->ip_proto)
>             {
>                 /* write the alert message into the buffer */
>                 snprintf(tempmsg, msg_str_size-1,
>                          " [**] %s [**]\n%s->%s", msg,
>                          sip, dip);
>             }
>             else
>             {
>                 /* write the alert message into the buffer */
>                 snprintf(tempmsg, msg_str_size-1,
>                          " [**] %s [**]\n%s:%d->%s:%d", msg,
>                          sip, p->sp, dip, p->dp);
>             }
>         }
>         else
>         {
>             /* write the alert message into the buffer - this part
>              * is for alerts with NULL packets (like portscans)
>              */
>             snprintf(tempmsg, msg_str_size-1,
>                     "[**] %s [**]\n", msg);
>         }
> 
> Vladislav Goncharov.

--
Martin Roesch - President, Sourcefire Inc. - (410)552-6999
roesch at ...402... - http://www.sourcefire.com  
Snort: Open Source Network IDS - http://www.snort.org




More information about the Snort-devel mailing list