[Snort-devel] endian-ness in barnyard
listasJGG at ...1964...
Fri May 2 08:29:14 EDT 2003
I'm just starting to in Snort. I have just set up a sensor on a network and i
want to collect the info in my workstation. It seems that the best would be
to periodically transfer unified logfiles and apply barnyard to it.
the problem arises because my workstation is a PPC Linux (gentoo linux on a
mac). Barnyard compiles without problems, but complains with
ERROR => No input plugin found for magic: 8010adde
looking in the unified file, it starts with "8010 adde", but in dp_log.h the
magic signature is
#define LOG_MAGIC 0xDEAD1080
the 'best' solution would be to save unified logfiles in 'network order' and
insert htons() and htonl() calls in snort; but that would break
the 'second best' solution is to declare utified logfiles as little-endian
files and do byte swapping in barnyard.
looking at the code, i think the following functions would have to be patched:
(PS: please reply to my mail, since i'm not on the list (yet))
More information about the Snort-devel