[Snort-devel] spo_cvs.c bugs

Alan Milligan alan at ...2398...
Wed Feb 25 00:56:04 EST 2004


Hi,

I'm trying to do some stuff with snort logging certain packets so I can 
flexibly count bandwith utilisations using snort rules.  I am still 
unsure if this is the best tool for this job (please advise)...

In my investigations however, I've struggled to get anything out of the 
unixsock stuff - any pointers as to why nothing's getting written down 
the socket would be most helpful.

Also, when trying the cvs output, I found a load of bugs with the 
srcport/dstport stuff.  I've appended a patch from the 2.1.1-RC1 source 
base (please forgive me if it's not quite in your standard format ;) ).

TIA

Alan
-------------- next part --------------
--- spo_csv.c	2004-02-25 19:39:04.000000000 +1100
+++ spo_csv.c.old	2004-02-25 19:02:50.000000000 +1100
@@ -285,7 +285,7 @@
 	      fprintf(file, "%lu",  (unsigned long) event->sig_id);
 	   }
 	}
-	else if(!strncasecmp("sig_rev",type,7))
+	else if(!strncasecmp("sig_rev",type,6))
 	{
 	   if(event != NULL)
 	   {
@@ -346,7 +346,7 @@
             fprintf(file,"0x%X",ntohs(p->eh->ether_type));
 	    }
 	}
-	else if(!strncasecmp("udplength", type, 9))
+	else if(!strncasecmp("udplength", type, 3))
 	{
 	    if(p->udph)
 		fprintf(file,"%d",ntohs(p->udph->uh_len));
@@ -361,7 +361,17 @@
 	    if(p->trh)
             PrintTrHeader(file, p);
 	}
-	else if(!strncasecmp("srcport", type, 7))
+	else if(!strncasecmp("src", type, 3))
+	{
+        if(p->iph)
+            fputs(inet_ntoa(p->iph->ip_src), file);
+	}
+	else if(!strncasecmp("dst", type, 3))
+	{
+        if(p->iph)
+            fputs(inet_ntoa(p->iph->ip_dst), file); 
+	}
+	else if(!strncasecmp("srcport", type, 3))
 	{
         if(p->iph)
         {
@@ -374,12 +384,7 @@
 	        }    
         }
 	}
-	else if(!strncasecmp("src", type, 3))
-	{
-        if(p->iph)
-            fputs(inet_ntoa(p->iph->ip_src), file);
-	}
-	else if(!strncasecmp("dstport", type, 7))
+	else if(!strncasecmp("dstport", type, 3))
 	{
         if(p->iph)
         {
@@ -387,16 +392,11 @@
 	        {
 	            case IPPROTO_UDP:
 	            case IPPROTO_TCP:
-		            fprintf(file, "%d", p->dp);
+		            fprintf(file, "%d", p->sp);
 		            break;
 	        }    
         }
 	}
-	else if(!strncasecmp("dst", type, 3))
-	{
-        if(p->iph)
-            fputs(inet_ntoa(p->iph->ip_dst), file); 
-	}
 	else if(!strncasecmp("icmptype",type,8))
 	{
 	    if(p->icmph)


More information about the Snort-devel mailing list