[Snort-devel] problem with packet info -- newbie

Cearns Angela acearns at ...398...
Thu Aug 1 21:44:28 EDT 2002


hello group,
  i am new to snort. i am working on writing a generic
patch for flood detection. i want this to be
implemented as a preprocessor plugin( i think this is
the right way for flood detection). i am trying to
read the packets from the preproc function i
registered for the module. on getting the packet i am
trying to see the source and destination address. for
some strange reason the destination and source address
seem to be the same. i am clueless as why this is
happening. can u please provide me with the necessary
information

attached below is a small piece of code along with
output and testing method conducted.
Thanks,
Ang
---------------------------------------

void FloodPreprocFunction(Packet * p)
{

    /* Only do processing on IP Packets */
    if(p->iph == NULL)
    {
        return;
    }



    /*
     * Here we check if it is a protocol we are
watching and if it is a
     * destination we are watching.  If either fails,
we return abruptly.
     */
    switch(p->iph->ip_proto)
    {
        case IPPROTO_TCP:
            if(p->tcph == NULL)
#ifdef DEBUG
            printf("spp_flood: Got TCP pkt\n");
#endif
            break;

        case IPPROTO_UDP:
#ifdef DEBUG
            printf("spp_flood: Got UDP pkt\n");
#endif
            break;

        case IPPROTO_ICMP:
        printf("source address is %s destination is
%s\n", inet_ntoa(p->iph->ip_src),
inet_ntoa(p->iph->ip_dst));
#ifdef DEBUG
            printf("spp_flood: Got ICMP pkt\n");
#endif
            scanType = sICMP;

            break;

        default:
            /* The packet isn't a protocol we watch,
so get out of here. */
            return;         /*** RETURN ***/
            break;
    }

 }


void SetupFlood(void)
{
    RegisterPreprocessor("flood", FloodInit);
}


void FloodInit(u_char * args)
{
  /* read the flood arguments from the config file */
  /* currently borrowed it from spp_portscan.c */
   ParseFloodArgs(args);
   
   AddFuncToPreprocList(FloodPreprocFunction);
}


Test
----
ping -f -c 4 abc.cs.edu

abc.cs.edu has ip <a.b.c.d>
attack host has ip <p.q.r.s>

output
-------
Version 1.8.6 (Build 105)
By Martin Roesch (roesch at ...402...,
www.snort.org)
source address is a.b.c.d destination is a.b.c.d
source address is p.q.r.s destination is p.q.r.s
source address is a.b.c.d destination is a.b.c.d
source address is p.q.r.s destination is p.q.r.s
source address is a.b.c.d destination is a.b.c.d
source address is p.q.r.s destination is p.q.r.s
source address is a.b.c.d destination is a.b.c.d
source address is p.q.r.s destination is p.q.r.s





__________________________________________________
Do You Yahoo!?
Yahoo! Health - Feel better, live better
http://health.yahoo.com




More information about the Snort-devel mailing list