[Snort-devel] endian-ness in barnyard

Andrew R. Baker andrewb at ...835...
Fri May 2 09:01:58 EDT 2003


Javier Guerra wrote:
> Hi
> 
> I'm just starting to in Snort.  I have just set up a sensor on a network and i 
> want to collect the info in my workstation.  It seems that the best would be 
> to periodically transfer unified logfiles and apply barnyard to it.
> 
> the problem arises because my workstation is a PPC Linux (gentoo linux on a 
> mac).  Barnyard compiles without problems, but complains with
> 
> 	ERROR => No input plugin found for magic: 8010adde
> 
> looking in the unified file, it starts with "8010 adde", but in dp_log.h the 
> magic signature is
> 
> 	#define LOG_MAGIC 0xDEAD1080
> 
> obvious byte-swapping.

Yes, currently Barnyard uses host order formatting.  This is a known 
issue and a fix is planned.

> the 'best' solution would be to save unified logfiles in 'network order' and 
> insert htons() and htonl() calls in snort; but that would break 
> compatibility.
> 
> the 'second best' solution is to declare utified logfiles as little-endian 
> files and do byte swapping in barnyard.
> 
> looking at the code, i think the following functions would have to be patched:
> 	SpoolFileHandle(),
> 	AlertDpReadFileHeader(), AlertDpReadRecord(), 
> 	LogDpReadFileHeader(), LogDpReadRecord(), 
> 	StreamStatDpReadFileHeader(), StreamStatDpReadRecord()

The planned solution is to implement something similar to libpcap. 
libpcap will write output files using host byte ordering.  When reading, 
it will detect the byte ordering and perform the swapping as 
appropriate.  IMHO, this is the best solution to ensure compatibility. 
I have some code that does this, but it is tightly integrated with other 
code that is not ready for release.

-A








More information about the Snort-devel mailing list