[Snort-devel] tag behavior in 2.0.6+

Andreas Östling andreaso at ...387...
Sun Feb 29 03:46:04 EST 2004


On Sun, 29 Feb 2004, Russell Fulton wrote:

> I support this request.  The old behaviour allows one to capture
> responses to actions by a would be intruder.  Often these are enough to
> confirm whether or not the attack succeeded.

Attached is a patch against 2.1.1 for us who like the old behavior.

/Andreas
-------------- next part --------------
--- tag.c.org	Sun Feb 29 12:10:43 2004
+++ tag.c	Sun Feb 29 12:11:08 2004
@@ -482,12 +482,8 @@
 
     if(returned == NULL)
     {
-        idx.dip = p->iph->ip_src.s_addr;
-        idx.sip = p->iph->ip_dst.s_addr;
-        idx.dp = p->sp;
-        idx.sp = p->dp;
-
         DEBUG_WRAP(DebugMessage(DEBUG_FLOW, "   Checking session tag list (reverse)...\n"););
+        SwapTag(&idx);  /* swap addresses/ports so they become reversed */
         returned = (TagNode *) ubi_sptFind(ssn_tag_cache_ptr, 
                 (ubi_btItemPtr)&idx);
 
@@ -495,18 +491,18 @@
         {
             DEBUG_WRAP(DebugMessage(DEBUG_FLOW, "   Checking host tag list "
 				    "(forward)...\n"););
-
-            /*
-            **  We only check host once, so that we don't get both
-            **  sides.
-            */
-            idx.sip = p->iph->ip_src.s_addr;
-            idx.dip = p->iph->ip_dst.s_addr;
-            idx.sp  = p->sp;
-            idx.dp  = p->dp;
-
+            SwapTag(&idx);  /* forward again */
             returned = (TagNode *) ubi_sptFind(host_tag_cache_ptr, 
                     (ubi_btItemPtr)&idx);
+
+            if (returned == NULL) 
+            {
+                SwapTag(&idx);  /* reversed again */
+                DEBUG_WRAP(DebugMessage(DEBUG_FLOW, "   Checking host tag list "
+                                        "(reverse)...\n"););
+                returned = (TagNode *) ubi_sptFind(host_tag_cache_ptr,
+                        (ubi_btItemPtr)&idx);
+            }
 
             if(returned != NULL)
             {


More information about the Snort-devel mailing list