[Snort-devel] How to log an IP address in dpx.c ?

Zeeuw, L.V. de l.v.de.zeeuw at ...3504...
Tue Sep 16 10:47:32 EDT 2014


Hi Emiliano (and Steven),

working on the code you provided previously, this code will do the job for me:

    IP4Hdr iphd;
    sfip_t iphdt;
 
    iphd = p->inner_ip4h;
    iphdt = iphd.ip_src;

    unsigned char *ipV4address = (unsigned char*) &iphdt.ip;

    _dpd.logMsg("IPsource %u.%u.%u.%u\n",*ipV4address, *(ipV4address+1),*(ipV4address+2),*(ipV4address+3));

    iphdt = iphd.ip_dst;
    _dpd.logMsg("IPdestination %u.%u.%u.%u\n",*ipV4address, *(ipV4address+1),*(ipV4address+2),*(ipV4address+3));


Using the test.pcap as input file.

Output:
..
IPsource 10.9.8.7
IPdestination 10.4.5.6
..

Thank you both for your time.

Regards,

Luc


>>> Emiliano Fausto <emiliano.fausto at ...2499...> 09/15/14 3:12 PM >>>
Hello Luc,


what if you try with something like this?

_dpd.logMsg( "Test: IP: %u.%u.%u.%u PORT: %u\n", (src_ip_test>> 24) & 0xFF, (src_ip_test >> 16) & 0xFF, (src_ip_test >> 8) & 0xFF, (src_ip_test >> 0) & 0xFF, 
src_port_test);


Maybe there's a better way, but hope it helps.

Regards,

Emiliano.


2014-09-15 9:59 GMT-03:00 Zeeuw, L.V. de <l.v.de.zeeuw at ...3504...>:
Hi Emiliano, 

I still trying to log the IP4 source en IP4 destination addresses in dotted decimal format. 

I was too fast in my opinion that everything worked fine using the code you provided previously. I hope you will help me once again (or anyone else) to figure out what is wrong. 

When I am adding this code to the dpx.c (from the dpx-1.6.tar.gz) just before the last } 


IP4Hdr iphd;
sfip_t iphdt;
iphdt = iphd.ip_src;
unsigned char* ipsrcp_test = (unsigned char*) &iphdt.ip;
unsigned int src_ip_test = (*ipsrcp_test << 24) + (*(ipsrcp_test+1) << 16) + \
(*(ipsrcp_test+2) << 8) + *(ipsrcp_test+3); unsigned short int src_port_test = \
p->src_port;
iphdt = iphd.ip_dst;
unsigned char* ipdstp_test = (unsigned char*) &iphdt.ip;
unsigned int dst_ip_test = (*ipdstp_test << 24) + (*(ipdstp_test+1) << 16) + \
(*(ipdstp_test+2) << 8) + *(ipdstp_test+3); unsigned short int dst_port_test = \
p->dst_port; _dpd.logMsg("\tTest: ipsrc%u portsrc%u ipdst%u \
portDst%u\n",src_ip_test,src_port_test, dst_ip_test,dst_port_test);
I can not find the correct IP address output (the port numbers are correct) when running ./test.sh (using test.pcap as input) 

Test: ipsrc16777216 portsrc12345 ipdst0         portDst8
Test: ipsrc16777216 portsrc8 ipdst0     portDst12345
Test: ipsrc16777216 portsrc12345 ipdst0         portDst80
Test: ipsrc16777216 portsrc12345 ipdst0         portDst8
Test: ipsrc16777216 portsrc8 ipdst0     portDst12345
Test: ipsrc16777216 portsrc12345 ipdst0         portDst80

The IPsrc should be 10.1.2.3 ...
The IPdst should be 10.4.5.6 ...

I can not figure out what is wrong. Any help is appreciated.

Regards,

Luc






>>> Zeeuw, L.V. de 07/25/14 9:19 AM >>>
Hi Emiliano,

thank you! I have tried this and indeed it works fine if I use 

   IP4Hdr iphd;
   sfip_t iphdt;

for the declaration.

These code snippets are very useful!

Regards,

Luc



>>> Emiliano Fausto <emiliano.fausto at ...2499...> 07/24/14 6:49 PM >>>
Hello Luc,


I've tried this testing and it works fine:
iphdt = iphd.ip_src;
unsigned char* ipsrcp_test = (unsigned char*) &iphdt.ip;
unsigned int src_ip_test = (*ipsrcp_test << 24) + (*(ipsrcp_test+1) << 16) + (*(ipsrcp_test+2) << 8) + *(ipsrcp_test+3);
unsigned short int src_port_test = p->src_port;

iphdt = iphd.ip_dst;
unsigned char* ipdstp_test = (unsigned char*) &iphdt.ip;
unsigned int dst_ip_test = (*ipdstp_test << 24) + (*(ipdstp_test+1) << 16) + (*(ipdstp_test+2) << 8) + *(ipdstp_test+3);
unsigned short int dst_port_test = p->dst_port;
_dpd.logMsg("\tTest: ipsrc%u portsrc%u ipdst%u portDst%u\n",src_ip_test,src_port_test, dst_ip_test,dst_port_test);

Hope it helps,
 Emiliano.



2014-07-24 10:35 GMT-03:00 Zeeuw, L.V. de <l.v.de.zeeuw at ...3504...>:
 Hi,

i am experimenting with the dpx. Its working. Now i started adding some statements to view the content ip4/tcp headers. I am able log things like src/dst, TCP payload size, etc. 
 
SFSnortPacket* p = (SFSnortPacket*)pkt;
_dpd.logMsg("Source port: %i, Destination port: %i\n",p->src_port, p->dst_port);
_dpd.logMsg("Payload size %i\n",p->payload_size);
 
but from sf_snort_packet.h and sf_ip.h  (??) i do not know how to log an ip-address ... 

I should like to ...

_dpd.logMsg("Source ip %?? \n", ?????);

BTW: Are there any recent books/tutorials for these kind of questions you would recommend? What about Snort development documentation for the most recent Snort version?
 
Any help is appreciated.

Regards,

Luc

the Netherlands


    



 
------------------------------------------------------------------------------
 Want fast and easy access to all the code in your enterprise? Index and
 search up to 200,000 lines of code with a free copy of Black Duck
 Code Sight - the same software that powers the world's largest code
 search on Ohloh, the Black Duck Open Hub! Try it now.
 http://p.sf.net/sfu/bds
_______________________________________________
 Snort-devel mailing list
 Snort-devel at lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/snort-devel
 Archive:
 http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel
 
 Please visit http://blog.snort.org for the latest news about Snort!



 
 


 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20140916/fd78a940/attachment.html>


More information about the Snort-devel mailing list