[Snort-devel] 2 notes about spo_alert_smb under Win32

Vladislav Goncharov vladg at ...804...
Fri Sep 7 03:27:26 EDT 2001


Hello.

Here is 2 notes about spo_alert_smb. Tested on Win2k server.

--- Note 1 ---

Problem:

Messenger window outputs only first line of message: "SNORT ALERT - Possible
Network Attack or Probe:".

Reason:

system() strips message in command line after first '\n'.

Solution:

use:

                snprintf(command_line, 2047,
                        "net send %s %s", tempwork, tempmsg);

                WinExec(command_line,SW_SHOWMINNOACTIVE);

instead of using:

                snprintf(command_line, 2047,
                        "start /min net send %s %s", tempwork, tempmsg);

                system(command_line);

--- Note 2 ---

Problem:

Messenger window strips output message.

Reason:

Messenger window outputs only 128 characters of message.

Solution:

Do not output "SNORT ALERT ...". Do not output timestamp. Something like
this:

        if(p != NULL)
        {
            strncpy(sip, inet_ntoa(p->iph->ip_src), 16);
            strncpy(dip, inet_ntoa(p->iph->ip_dst), 16);

            if(p->frag_flag || p->iph->ip_proto)
            {
                /* write the alert message into the buffer */
                snprintf(tempmsg, msg_str_size-1,
                         " [**] %s [**]\n%s->%s", msg,
                         sip, dip);
            }
            else
            {
                /* write the alert message into the buffer */
                snprintf(tempmsg, msg_str_size-1,
                         " [**] %s [**]\n%s:%d->%s:%d", msg,
                         sip, p->sp, dip, p->dp);
            }
        }
        else
        {
            /* write the alert message into the buffer - this part
             * is for alerts with NULL packets (like portscans)
             */
            snprintf(tempmsg, msg_str_size-1,
                    "[**] %s [**]\n", msg);
        }

Vladislav Goncharov.






More information about the Snort-devel mailing list