[Snort-devel] Logging based on higher port, not source

Robert Wagner rwagner at ...1225...
Wed May 8 09:10:29 EDT 2002


In researching my previous message, I came upon the answer to another
question that has been bothering me.  I am not sure if this was by design or
accident.  I noticed that logs are being stored under the IP with the
highest port number.    snip---->  if(p->sp >= p->dp)

Thus if an attack came from 1.2.3.4:80 to 2.3.4.5:4455 then the packets
would be logged under the 1.2.3.4 ip address instead of the source of the
attacks.  This makes it difficult tracking a problematic ISP as some of the
historical log information may be kept in different areas.

Please correct me if I am reading this wrong.  If this is intentional, then
I would appreciate hearing the other side to the story.  

I guess a little while ago we would never think a web server would attack
us, and all attacks would come from > 1024 port numbers so we could assume
the higher number is the attacker.  Is this still the case?  


---------------------------------------------snip from log.c - line 157 -
changes made to lines 173, 183 only
    /* build the log filename */
    if(p->iph->ip_proto == IPPROTO_TCP ||
            p->iph->ip_proto == IPPROTO_UDP)
    {
        if(p->frag_flag)
        {
            snprintf(log_file, STD_BUF, "%s/IP_FRAG%s", log_path, suffix);
        }
        else
        {
            if(p->sp >= p->dp)
            {
#ifdef WIN32
                snprintf(log_file, STD_BUF, "%s/%s_%d-%d%s", log_path,
                        protocol_names[p->iph->ip_proto], p->sp, p->dp,
suffix);
#else
                snprintf(log_file, STD_BUF, "%s/%s_%d-%d%s", log_path,
==================>changed : to _
                        protocol_names[p->iph->ip_proto], p->sp, p->dp,
suffix);
#endif
            }
            else
            {
#ifdef WIN32
                snprintf(log_file, STD_BUF, "%s/%s_%d-%d%s", log_path,
                        protocol_names[p->iph->ip_proto], p->dp, p->sp,
suffix);
#else
                snprintf(log_file, STD_BUF, "%s/%s_%d-%d%s", log_path,
==================>changed : to _
                        protocol_names[p->iph->ip_proto], p->dp, p->sp,
suffix);
#endif
            }
        }





More information about the Snort-devel mailing list