[Snort-devel] How to log an IP address in dpx.c ?

Emiliano Fausto emiliano.fausto at ...2499...
Mon Sep 15 09:11:23 EDT 2014


Hello Luc,

what if you try with something like this?

_dpd.logMsg( "Test: IP: %u.%u.%u.%u PORT: %u\n", (src_ip_test>> 24) & 0xFF,
(src_ip_test >> 16) & 0xFF, (src_ip_test >> 8) & 0xFF, (src_ip_test >> 0) &
0xFF,
src_port_test);

Maybe there's a better way, but hope it helps.

Regards,
Emiliano.

2014-09-15 9:59 GMT-03:00 Zeeuw, L.V. de <l.v.de.zeeuw at ...3504...>:

> Hi Emiliano,
>
> I still trying to log the IP4 source en IP4 destination addresses in
> dotted decimal format.
>
> I was too fast in my opinion that everything worked fine using the code
> you provided previously. I hope you will help me once again (or anyone
> else) to figure out what is wrong.
>
> When I am adding this code to the dpx.c (from the dpx-1.6.tar.gz)
> <https://webmail.hro.nl/gw/dpx-1.6.tar.gz%29> just before the last }
>
>
>
>
> *IP4Hdr iphd;sfip_t iphdt;*
>
> *iphdt = iphd.ip_src;
> unsigned char* ipsrcp_test = (unsigned char*) &iphdt.ip;
> unsigned int src_ip_test = (*ipsrcp_test << 24) + (*(ipsrcp_test+1) << 16) + \
> (*(ipsrcp_test+2) << 8) + *(ipsrcp_test+3); unsigned short int src_port_test = \
> p->src_port;
>
> iphdt = iphd.ip_dst;
> unsigned char* ipdstp_test = (unsigned char*) &iphdt.ip;
> unsigned int dst_ip_test = (*ipdstp_test << 24) + (*(ipdstp_test+1) << 16) + \
> (*(ipdstp_test+2) << 8) + *(ipdstp_test+3); unsigned short int dst_port_test = \
> p->dst_port; _dpd.logMsg("\tTest: ipsrc%u portsrc%u ipdst%u \
> portDst%u\n",src_ip_test,src_port_test, dst_ip_test,dst_port_test);*
>
>
> I can not find the correct IP address output (the port numbers are
> correct) when running ./test.sh (using test.pcap as input)
>
>
>
>
>
>
> *Test: ipsrc16777216 portsrc12345 ipdst0         portDst8Test:
> ipsrc16777216 portsrc8 ipdst0     portDst12345Test: ipsrc16777216
> portsrc12345 ipdst0         portDst80Test: ipsrc16777216 portsrc12345
> ipdst0         portDst8Test: ipsrc16777216 portsrc8 ipdst0
> portDst12345Test: ipsrc16777216 portsrc12345 ipdst0         portDst80*
>
> The IPsrc should be 10.1.2.3 ...
> The IPdst should be 10.4.5.6 ...
>
> I can not figure out what is wrong. Any help is appreciated.
>
> Regards,
>
> Luc
>
>
>
>
>
>
> >>> Zeeuw, L.V. de 07/25/14 9:19 AM >>>
> Hi Emiliano,
>
> thank you! I have tried this and indeed it works fine if I use
>
>    IP4Hdr iphd;
>    sfip_t iphdt;
>
> for the declaration.
>
> These code snippets are very useful!
>
> Regards,
>
> Luc
>
>
>
> >>> Emiliano Fausto <emiliano.fausto at ...2499...> 07/24/14 6:49 PM >>>
> Hello Luc,
>
> I've tried this testing and it works fine:
>
>
> iphdt = iphd.ip_src;
> unsigned char* ipsrcp_test = (unsigned char*) &iphdt.ip;
> unsigned int src_ip_test = (*ipsrcp_test << 24) + (*(ipsrcp_test+1) << 16) + (*(ipsrcp_test+2) << 8) + *(ipsrcp_test+3);
> unsigned short int src_port_test = p->src_port;
>
> iphdt = iphd.ip_dst;
> unsigned char* ipdstp_test = (unsigned char*) &iphdt.ip;
> unsigned int dst_ip_test = (*ipdstp_test << 24) + (*(ipdstp_test+1) << 16) + (*(ipdstp_test+2) << 8) + *(ipdstp_test+3);
> unsigned short int dst_port_test = p->dst_port;
> _dpd.logMsg("\tTest: ipsrc%u portsrc%u ipdst%u portDst%u\n",src_ip_test,src_port_test, dst_ip_test,dst_port_test);
>
>
> Hope it helps,
> Emiliano.
>
>
> 2014-07-24 10:35 GMT-03:00 Zeeuw, L.V. de <l.v.de.zeeuw at ...3504...>:
>
>> Hi,
>>
>> i am experimenting with the dpx. Its working. Now i started adding some
>> statements to view the content ip4/tcp headers. I am able log things like
>> src/dst, TCP payload size, etc.
>>
>>
>> *SFSnortPacket* p = (SFSnortPacket*)pkt;*
>>
>> *_dpd.logMsg("Source port: %i, Destination port: %i\n",p->src_port,
>> p->dst_port);_dpd.logMsg("Payload size %i\n",p->payload_size); *
>> but from sf_snort_packet.h and sf_ip.h  (??) i do not know how to log an
>> ip-address ...
>>
>> I should like to ...
>>
>>
>>
>> *_dpd.logMsg("Source ip %?? \n", ?????);*BTW: Are there any recent
>> books/tutorials for these kind of questions you would recommend? What about
>> Snort development documentation for the most recent Snort version?
>>
>> Any help is appreciated.
>>
>> Regards,
>>
>> Luc
>>
>> the Netherlands
>>
>>
>>
>>
>>
>>
>>
>> ------------------------------------------------------------------------------
>> Want fast and easy access to all the code in your enterprise? Index and
>> search up to 200,000 lines of code with a free copy of Black Duck
>> Code Sight - the same software that powers the world's largest code
>> search on Ohloh, the Black Duck Open Hub! Try it now.
>> http://p.sf.net/sfu/bds
>> _______________________________________________
>> Snort-devel mailing list
>> Snort-devel at lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/snort-devel
>> Archive:
>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel
>>
>> Please visit http://blog.snort.org for the latest news about Snort!
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20140915/dade9a12/attachment.html>


More information about the Snort-devel mailing list