[Snort-devel] How to log an IP address in dpx.c ?

Steven Sturges ststurge at ...3461...
Mon Sep 15 09:27:10 EDT 2014


If you have an sfip_t pointer, look at providing a buffer/length to 
sfip_ntop() and then
logging that buffer via _dpd.logMsg().  That will handle both IPv4 & IPv6.

Cheers.
-steve

On 9/15/14, 9:11 AM, Emiliano Fausto wrote:
> Hello Luc,
>
> what if you try with something like this?
>
> _dpd.logMsg( "Test: IP: %u.%u.%u.%u PORT: %u\n", (src_ip_test>> 24) & 
> 0xFF, (src_ip_test >> 16) & 0xFF, (src_ip_test >> 8) & 0xFF, 
> (src_ip_test >> 0) & 0xFF,
> src_port_test);
>
> Maybe there's a better way, but hope it helps.
>
> Regards,
> Emiliano.
>
> 2014-09-15 9:59 GMT-03:00 Zeeuw, L.V. de <l.v.de.zeeuw at ...3504... 
> <mailto:l.v.de.zeeuw at ...3504...>>:
>
>     Hi Emiliano,
>
>     I still trying to log the IP4 source en IP4 destination addresses
>     in dotted decimal format.
>
>     I was too fast in my opinion that everything worked fine using the
>     code you provided previously. I hope you will help me once again
>     (or anyone else) to figure out what is wrong.
>
>     When I am adding this code to the dpx.c (from the dpx-1.6.tar.gz)
>     <https://webmail.hro.nl/gw/dpx-1.6.tar.gz%29> just before the last }
>
>
>     /IP4Hdr iphd;
>     sfip_t iphdt;
>     /
>
>     /iphdt = iphd.ip_src;
>     unsigned char* ipsrcp_test = (unsigned char*) &iphdt.ip;
>     unsigned int src_ip_test = (*ipsrcp_test << 24) + (*(ipsrcp_test+1) << 16) + \
>     (*(ipsrcp_test+2) << 8) + *(ipsrcp_test+3); unsigned short int src_port_test = \
>     p->src_port;
>
>     iphdt = iphd.ip_dst;
>     unsigned char* ipdstp_test = (unsigned char*) &iphdt.ip;
>     unsigned int dst_ip_test = (*ipdstp_test << 24) + (*(ipdstp_test+1) << 16) + \
>     (*(ipdstp_test+2) << 8) + *(ipdstp_test+3); unsigned short int dst_port_test = \
>     p->dst_port; _dpd.logMsg("\tTest: ipsrc%u portsrc%u ipdst%u \
>     portDst%u\n",src_ip_test,src_port_test, dst_ip_test,dst_port_test);/
>
>
>     I can not find the correct IP address output (the port numbers are
>     correct) when running ./test.sh (using test.pcap as input)
>
>     /Test: ipsrc16777216 portsrc12345 ipdst0 portDst8
>     Test: ipsrc16777216 portsrc8 ipdst0     portDst12345
>     Test: ipsrc16777216 portsrc12345 ipdst0 portDst80
>     Test: ipsrc16777216 portsrc12345 ipdst0         portDst8
>     Test: ipsrc16777216 portsrc8 ipdst0     portDst12345
>     Test: ipsrc16777216 portsrc12345 ipdst0 portDst80/
>
>     The IPsrc should be 10.1.2.3 ...
>     The IPdst should be 10.4.5.6 ...
>
>     I can not figure out what is wrong. Any help is appreciated.
>
>     Regards,
>
>     Luc
>
>
>
>
>
>
>     >>> Zeeuw, L.V. de 07/25/14 9:19 AM >>>
>     Hi Emiliano,
>
>     thank you! I have tried this and indeed it works fine if I use
>
>        IP4Hdr iphd;
>        sfip_t iphdt;
>
>     for the declaration.
>
>     These code snippets are very useful!
>
>     Regards,
>
>     Luc
>
>
>
>     >>> Emiliano Fausto <emiliano.fausto at ...2499...
>     <mailto:emiliano.fausto at ...2499...>> 07/24/14 6:49 PM >>>
>     Hello Luc,
>
>     I've tried this testing and it works fine:
>
>     |
>     iphdt = iphd.ip_src;
>     unsigned char* ipsrcp_test = (unsigned char*) &iphdt.ip;
>     unsigned int src_ip_test = (*ipsrcp_test << 24) + (*(ipsrcp_test+1) << 16) + (*(ipsrcp_test+2) << 8) + *(ipsrcp_test+3);
>     unsigned short int src_port_test = p->src_port;
>
>     iphdt = iphd.ip_dst;
>     unsigned char* ipdstp_test = (unsigned char*) &iphdt.ip;
>     unsigned int dst_ip_test = (*ipdstp_test << 24) + (*(ipdstp_test+1) << 16) + (*(ipdstp_test+2) << 8) + *(ipdstp_test+3);
>     unsigned short int dst_port_test = p->dst_port;
>     _dpd.logMsg("\tTest: ipsrc%u portsrc%u ipdst%u portDst%u\n",src_ip_test,src_port_test, dst_ip_test,dst_port_test);|
>
>
>     Hope it helps,
>     Emiliano.
>
>
>     2014-07-24 10:35 GMT-03:00 Zeeuw, L.V. de <l.v.de.zeeuw at ...3504...
>     <mailto:l.v.de.zeeuw at ...3504...>>:
>
>         Hi,
>
>         i am experimenting with the dpx. Its working. Now i started
>         adding some statements to view the content ip4/tcp headers. I
>         am able log things like src/dst, TCP payload size, etc.
>
>         /SFSnortPacket* p = (SFSnortPacket*)pkt;
>         ///_dpd.logMsg("Source port: %i, Destination port:
>         %i\n",p->src_port, p->dst_port);
>         /_dpd.logMsg("Payload size %i\n",p->payload_size);
>         /
>         but from sf_snort_packet.h and sf_ip.h  (??) i do not know how
>         to log an ip-address ...
>
>         I should like to ...
>
>         /_dpd.logMsg("Source ip %*??* \n", *?????*);
>
>         /BTW: Are there any recent books/tutorials for these kind of
>         questions you would recommend? What about Snort development
>         documentation for the most recent Snort version?
>
>         Any help is appreciated.
>
>         Regards,
>
>         Luc/
>
>         /the Netherlands/
>         /
>
>
>
>
>
>         ------------------------------------------------------------------------------
>         Want fast and easy access to all the code in your enterprise?
>         Index and
>         search up to 200,000 lines of code with a free copy of Black Duck
>         Code Sight - the same software that powers the world's largest
>         code
>         search on Ohloh, the Black Duck Open Hub! Try it now.
>         http://p.sf.net/sfu/bds
>         _______________________________________________
>         Snort-devel mailing list
>         Snort-devel at lists.sourceforge.net
>         <mailto:Snort-devel at lists.sourceforge.net>
>         https://lists.sourceforge.net/lists/listinfo/snort-devel
>         Archive:
>         http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel
>
>         Please visit http://blog.snort.org for the latest news about
>         Snort!
>
>
>
>
>
> ------------------------------------------------------------------------------
> Want excitement?
> Manually upgrade your production database.
> When you want reliability, choose Perforce
> Perforce version control. Predictably reliable.
> http://pubads.g.doubleclick.net/gampad/clk?id=157508191&iu=/4140/ostg.clktrk
>
>
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
> Archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel
>
> Please visit http://blog.snort.org for the latest news about Snort!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20140915/318eb750/attachment.html>


More information about the Snort-devel mailing list