[Snort-devel] patch to reset tv_sec

Brian bmc at ...835...
Tue Mar 1 14:32:04 EST 2005


A friend was running into an issue that all the alerts generated by
Snort using a pcap I had given her had the timestamp of 0.

Instead of fixing the pile of pcaps I gave her, I am supplied her the
attached patch, which sets the tv_sec in the packet to "now" if the
tv_sec is zero and you have the -Z commandline arguement.

While not that useful for everyone, hey it was useful for me. 

Patch applies cleanly to CURRENT.

Brian
-------------- next part --------------
Index: src/snort.c
===================================================================
RCS file: /usr/cvsroot-snort/snort/src/snort.c,v
retrieving revision 1.216
diff -u -r1.216 snort.c
--- src/snort.c	28 Jan 2005 21:25:15 -0000	1.216
+++ src/snort.c	1 Mar 2005 22:20:46 -0000
@@ -658,8 +658,16 @@
  */
 void PcapProcessPacket(char *user, struct pcap_pkthdr * pkthdr, u_char * pkt)
 {
+    struct timeval tv;
+    struct timezone tz;
+
     pc.total++;
 
+    if (pv.pcap_no_zero_time_flag && pkthdr->ts.tv_sec == 0) {
+        gettimeofday(&tv, &tz);
+        pkthdr->ts.tv_sec = tv.tv_sec;
+    }
+
     /*
     ** Save off the time of each and every packet 
     */ 
@@ -840,6 +848,7 @@
     FPUTS_BOTH ("        -X         Dump the raw packet data starting at the link layer\n");
     FPUTS_BOTH ("        -y         Include year in timestamp in the alert and log files\n");
     FPUTS_BOTH ("        -z         Set assurance mode, match on established sesions (for TCP)\n");
+    FPUTS_BOTH ("        -Z         Reset pcap timestamps if the timestamp is 0\n");
     FPUTS_BOTH ("        -?         Show this information\n");
     FPUTS_BOTH ("<Filter Options> are standard BPF options, as seen in TCPDump\n");
 
@@ -901,18 +910,18 @@
 #ifndef WIN32
 #ifdef GIDS
 #ifndef IPFW
-    valid_options = "?A:bB:c:CdDefF:g:h:i:Ik:l:L:m:n:NoOpP:qQr:R:sS:t:Tu:UvVwXyz";
+    valid_options = "?A:bB:c:CdDefF:g:h:i:Ik:l:L:m:n:NoOpP:qQr:R:sS:t:Tu:UvVwXyzZ";
 #else
-    valid_options = "?A:bB:c:CdDefF:g:h:i:IJ:k:l:L:m:n:NoOpP:qr:R:sS:t:Tu:UvVwXyz";
+    valid_options = "?A:bB:c:CdDefF:g:h:i:IJ:k:l:L:m:n:NoOpP:qr:R:sS:t:Tu:UvVwXyzZ";
 #endif /* IPFW */
 #else
     /* Unix does not support an argument to -s <wink marty!> OR -E, -W */
-    valid_options = "?A:bB:c:CdDefF:g:h:i:Ik:l:L:m:n:NoOpP:qQr:R:sS:t:Tu:UvVwXyz";
+    valid_options = "?A:bB:c:CdDefF:g:h:i:Ik:l:L:m:n:NoOpP:qQr:R:sS:t:Tu:UvVwXyzZ";
 #endif /* GIDS */
 #else
     /* Win32 does not support:  -D, -g, -m, -t, -u */
     /* Win32 no longer supports an argument to -s, either! */
-    valid_options = "?A:bB:c:CdeEfF:h:i:Ik:l:L:n:NoOpP:qr:R:sS:TUvVwWXyz";
+    valid_options = "?A:bB:c:CdeEfF:h:i:Ik:l:L:n:NoOpP:qr:R:sS:TUvVwWXyzZ";
 #endif
 
     /* loop through each command line var and process it */
@@ -1416,6 +1425,10 @@
             case 'z': /* set assurance mode (used with stream 4) */
                 pv.assurance_mode = ASSURE_EST;
                 break;
+            
+            case 'Z': /* set assurance mode (used with stream 4) */
+                pv.pcap_no_zero_time_flag = 1;
+                break;
 
             case '?':  /* show help and exit with 1 */
                 DisplayBanner();
Index: src/snort.h
===================================================================
RCS file: /usr/cvsroot-snort/snort/src/snort.h,v
retrieving revision 1.380
diff -u -r1.380 snort.h
--- src/snort.h	28 Jan 2005 21:25:15 -0000	1.380
+++ src/snort.h	1 Mar 2005 22:20:46 -0000
@@ -152,6 +152,7 @@
 typedef struct _progvars
 {
     int stateful;
+    int pcap_no_zero_time_flag;
     int line_buffer_flag;
     int checksums_mode;
     int assurance_mode;


More information about the Snort-devel mailing list