[Snort-devel] 2 Questions about tag option

Lawrence Reed Lawrence.Reed at ...1489...
Thu Mar 27 06:16:18 EST 2003


Hi Chris,
After taking a peek at the code, I don't think my test results are 
correct.  But I don't think the tagging is working correct either.  It 
looks like TAG_SESSION is ok but TAG_HOST_* is not.  It looks like 
tag_host_src might work, but tag_host_dst will not.  

I have not test this patch, but this is what I am thinking:

--- tag.c.orig  Mon Aug 26 21:10:07 2002
+++ tag.c       Thu Mar 27 14:11:50 2003
@@ -284,13 +284,13 @@
 {
    DEBUG_WRAP(DebugMessage(DEBUG_FLOW, "TAGGING HOST\n"););

-    if(tag->tag_direction == SRC)
+    if(tag->tag_direction == TAG_HOST_SRC)
     {
-        AddTagNode(p, tag, TAG_HOST, time, event_id);
+        AddTagNode(p, tag, TAG_HOST_SRC, time, event_id);
     }
     else
     {
-        AddTagNode(p, tag, TAG_HOST, time, event_id);
+        AddTagNode(p, tag, TAG_HOST_DST, time, event_id);
     }
 }

@@ -377,7 +377,8 @@
     }
     else
     {
-        /* check for dups */
+
+                             /* check for dups */
         tmp.sip = idx->sip;
         returned = (TagNode *) ubi_sptFind(host_tag_cache_ptr,
                                             (ubi_btItemPtr)idx);
@@ -391,6 +392,15 @@

         if(returned == NULL)
         {
+            if ( mode ==TAG_HOST_DST ) {
+             /* we need to switch the sip and dip fields for the 
compare to work right */
+
+               tmp.sip = idx->sip;
+               tmp.dip = idx->dip;
+              idx->dip=tmp.sip;
+              idx->sip=tmp.dip;
+
+           }
             if(ubi_sptInsert(host_tag_cache_ptr,(ubi_btNodePtr)idx,
                         (ubi_btNodePtr)idx, NULL) == FALSE)
             {



Feel free to edit/change/ignore as you see appropriate.



Chris Green wrote:

>"Lawrence Reed" <Lawrence.Reed at ...1489...> writes:
>
>  
>
>>Has the tag rule option changed in 2.0?  In particular should "tag:
>>host, packets, 300, src" still work?  It looks like the src and dst
>>attributes are no longer functioning.  My testing shows that tag host
>>really means tag host src AND dst regardless of which (src or dst) you
>>specify.
>>    
>>
>
>Need to go test that out.
>
>  
>
>>Second question?  How does tagging interact with stream reassembly?
>>My testing shows tagged packets getting logged twice, first individual
>>packets and then again as one packet, presumably from stream
>>reassembly.  I have found the packet tagging to be an extremely useful
>>feature.  I use it extensively to capture packets after a particular
>>attack so that I can determine the success of the attack.
>>
>>    
>>
>
>Yeah it does do both.  It should probably be changed to ignore rebuilt
>packets.
>  
>

-- 
Larry Reed  Lawrence.Reed at ...1489...
NOAA IT Security Office
PGP Public Key:  http://search.keyserver.net:11371/pks/lookup?op=get&search=0x7A998772







More information about the Snort-devel mailing list