[Snort-devel] endian-ness in barnyard

Javier Guerra listasJGG at ...1964...
Fri May 2 08:29:14 EDT 2003


Hi

I'm just starting to in Snort.  I have just set up a sensor on a network and i 
want to collect the info in my workstation.  It seems that the best would be 
to periodically transfer unified logfiles and apply barnyard to it.

the problem arises because my workstation is a PPC Linux (gentoo linux on a 
mac).  Barnyard compiles without problems, but complains with

	ERROR => No input plugin found for magic: 8010adde

looking in the unified file, it starts with "8010 adde", but in dp_log.h the 
magic signature is

	#define LOG_MAGIC 0xDEAD1080

obvious byte-swapping.

the 'best' solution would be to save unified logfiles in 'network order' and 
insert htons() and htonl() calls in snort; but that would break 
compatibility.

the 'second best' solution is to declare utified logfiles as little-endian 
files and do byte swapping in barnyard.

looking at the code, i think the following functions would have to be patched:
	SpoolFileHandle(),
	AlertDpReadFileHeader(), AlertDpReadRecord(), 
	LogDpReadFileHeader(), LogDpReadRecord(), 
	StreamStatDpReadFileHeader(), StreamStatDpReadRecord()


(PS: please reply to my mail, since i'm not on the list (yet))

-- 
------
Javier




More information about the Snort-devel mailing list