[Snort-devel] ascii output's problems

Nicolas Delon delon.nicolas at ...1042...
Fri Sep 12 15:31:06 EDT 2003


Hello world,

If you take a look at the function OpenLogFile in 
src/output-plugins/spo_log_ascii.c (this function takes a Packet * in 
order to create the path and the filename where the content of a given 
alert/packet will be stored),
you'll see this piece of code for path creation:
if(p->sp >= p->dp)
{
     snprintf(log_path, STD_BUF, "%s/%s", pv.log_dir,
               inet_ntoa(p->iph->ip_src));
}
else
{
     snprintf(log_path, STD_BUF, "%s/%s", pv.log_dir,
              inet_ntoa(p->iph->ip_dst));
}

and this piece of code for filename creation:
if(p->sp >= p->dp)
{
     snprintf(log_file, STD_BUF, "%s/%s:%d-%d%s", log_path,
              protocol_names[p->iph->ip_proto], p->sp, p->dp, suffix);
}
else
{
     snprintf(log_file, STD_BUF, "%s/%s:%d-%d%s", log_path,
              protocol_names[p->iph->ip_proto], p->dp, p->sp, suffix);
}
(I have removed the WIN32 dependant code to make it shorter)

It means that if I send a tcp syn packet from 10.42.0.2:2000 to 
10.42.0.1:1080 (10.42.0.1 is where snort is sniffing), I'll get this (it 
triggers an "SCAN SOCKS Proxy attempt" alert):
$ ls -lR
.:
total 4.0K
drwx------    2 root     root         4.0K Sep 12 23:16 10.42.0.2/

./10.42.0.2:
total 4.0K
-rw-------    1 root     root          259 Sep 12 23:16 TCP:2000-1080

and now, if I send a second tcp syn packet from 10.42.0.2:1000 to 
10.42.0.1:1080, I'll get this:
$ ls -lR
.:
total 8.0K
drwx------    2 root     root         4.0K Sep 12 23:23 10.42.0.1/
drwx------    2 root     root         4.0K Sep 12 23:16 10.42.0.2/

./10.42.0.1:
total 4.0K
-rw-------    1 root     root          259 Sep 12 23:23 TCP:1080-1000

./10.42.0.2:
total 4.0K
-rw-------    1 root     root          259 Sep 12 23:16 TCP:2000-1080

So, if someone attacks a host with a source port lower than the target 
port, path and filename will be inverted (source ip <=> destination ip, 
source port <=> destination port).

Best regards.

PS: you will find the same problem in 
src/detection-plugins/sp_session.c:OpenSessionFile

-- 
"The only way to stop open source is to make it illegal." - Bruce Perens





More information about the Snort-devel mailing list