[Snort-devel] ascii output's problems
erek at ...835...
Fri Sep 12 18:46:02 EDT 2003
On Sat, 13 Sep 2003, Nicolas Delon wrote:
> So, if someone attacks a host with a source port lower than the target
> port, path and filename will be inverted (source ip <=> destination ip,
> source port <=> destination port).
There's something you missed.
Check back up in the code a few lines:
/* figure out which way this packet is headed in relation to the homenet */
if((p->iph->ip_dst.s_addr & pv.netmask) == pv.homenet)
if((p->iph->ip_src.s_addr & pv.netmask) != pv.homenet)
If you use '-h 10.42.0.0/24' you don't have the problem. From the man
Set the "home network" to home-net. The format of this
address variable is a network prefix plus a CIDR block,
such as 192.168.1.0/24. Once this variable is set, all
decoded packet logging will be done relative to the
home network address space. This is useful because of
the way that Snort formats its ASCII log data. With
this value set to the local network, all decoded output
will be logged into decode directories with the address
of the foreign computer as the directory name, which is
very useful during traffic analysis.
"When things get weird, the weird turn pro." H.S. Thompson
More information about the Snort-devel