[Snort-devel] ascii output's problems

Erek Adams erek at ...835...
Fri Sep 12 18:46:02 EDT 2003


On Sat, 13 Sep 2003, Nicolas Delon wrote:

[...snip...]

> So, if someone attacks a host with a source port lower than the target
> port, path and filename will be inverted (source ip <=> destination ip,
> source port <=> destination port).

There's something you missed.

Check back up in the code a few lines:

    /* figure out which way this packet is headed in relation to the homenet */
    if((p->iph->ip_dst.s_addr & pv.netmask) == pv.homenet)
    {
        if((p->iph->ip_src.s_addr & pv.netmask) != pv.homenet)


If you use '-h 10.42.0.0/24' you don't have the problem.  From the man
page:

     -h home-net
          Set the "home network" to home-net. The format of  this
          address variable is a network prefix plus a CIDR block,
          such as 192.168.1.0/24.  Once this variable is set, all
          decoded  packet  logging  will  be done relative to the
          home network address space.  This is useful because  of
          the  way  that  Snort formats its ASCII log data.  With
          this value set to the local network, all decoded output
          will be logged into decode directories with the address
          of the foreign computer as the directory name, which is
          very useful during traffic analysis.

Cheers!

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson




More information about the Snort-devel mailing list