[Snort-devel] endian-ness in barnyard
Andrew R. Baker
andrewb at ...835...
Fri May 2 09:01:58 EDT 2003
Javier Guerra wrote:
> I'm just starting to in Snort. I have just set up a sensor on a network and i
> want to collect the info in my workstation. It seems that the best would be
> to periodically transfer unified logfiles and apply barnyard to it.
> the problem arises because my workstation is a PPC Linux (gentoo linux on a
> mac). Barnyard compiles without problems, but complains with
> ERROR => No input plugin found for magic: 8010adde
> looking in the unified file, it starts with "8010 adde", but in dp_log.h the
> magic signature is
> #define LOG_MAGIC 0xDEAD1080
> obvious byte-swapping.
Yes, currently Barnyard uses host order formatting. This is a known
issue and a fix is planned.
> the 'best' solution would be to save unified logfiles in 'network order' and
> insert htons() and htonl() calls in snort; but that would break
> the 'second best' solution is to declare utified logfiles as little-endian
> files and do byte swapping in barnyard.
> looking at the code, i think the following functions would have to be patched:
> AlertDpReadFileHeader(), AlertDpReadRecord(),
> LogDpReadFileHeader(), LogDpReadRecord(),
> StreamStatDpReadFileHeader(), StreamStatDpReadRecord()
The planned solution is to implement something similar to libpcap.
libpcap will write output files using host byte ordering. When reading,
it will detect the byte ordering and perform the swapping as
appropriate. IMHO, this is the best solution to ensure compatibility.
I have some code that does this, but it is tightly integrated with other
code that is not ready for release.
More information about the Snort-devel