[Snort-devel] How to log an IP address in dpx.c ?

Emiliano Fausto emiliano.fausto at ...2499...
Tue Sep 16 11:48:40 EDT 2014


That's great!

Regards,
Emi

2014-09-16 11:47 GMT-03:00 Zeeuw, L.V. de <l.v.de.zeeuw at ...3504...>:

> Hi Emiliano (and Steven),
>
> working on the code you provided previously, this code will do the job for
> me:
>
>
>
>
>
>
>
>
>
>
>
>
>
> * IP4Hdr iphd;    sfip_t iphdt;     iphd = p->inner_ip4h;    iphdt =
> iphd.ip_src;    unsigned char *ipV4address = (unsigned char*) &iphdt.ip;
> _dpd.logMsg("IPsource %u.%u.%u.%u\n",*ipV4address,
> *(ipV4address+1),*(ipV4address+2),*(ipV4address+3));    iphdt =
> iphd.ip_dst;    _dpd.logMsg("IPdestination %u.%u.%u.%u\n",*ipV4address,
> *(ipV4address+1),*(ipV4address+2),*(ipV4address+3));*
>
> Using the test.pcap as input file.
>
> Output:
> ..
>
>
>
> *IPsource 10.9.8.7IPdestination 10.4.5.6..*
> Thank you both for your time.
>
> Regards,
>
> Luc
>
>
> >>> Emiliano Fausto <emiliano.fausto at ...2499...> 09/15/14 3:12 PM >>>
>
> Hello Luc,
>
> what if you try with something like this?
>
> _dpd.logMsg( "Test: IP: %u.%u.%u.%u PORT: %u\n", (src_ip_test>> 24) &
> 0xFF, (src_ip_test >> 16) & 0xFF, (src_ip_test >> 8) & 0xFF, (src_ip_test
> >> 0) & 0xFF,
> src_port_test);
>
> Maybe there's a better way, but hope it helps.
>
> Regards,
> Emiliano.
>
> 2014-09-15 9:59 GMT-03:00 Zeeuw, L.V. de <l.v.de.zeeuw at ...3504...>:
>
>> Hi Emiliano,
>>
>> I still trying to log the IP4 source en IP4 destination addresses in
>> dotted decimal format.
>>
>> I was too fast in my opinion that everything worked fine using the code
>> you provided previously. I hope you will help me once again (or anyone
>> else) to figure out what is wrong.
>>
>> When I am adding this code to the dpx.c (from the dpx-1.6.tar.gz)
>> <https://webmail.hro.nl/gw/dpx-1.6.tar.gz%29> just before the last }
>>
>>
>>
>>
>> *IP4Hdr iphd;sfip_t iphdt;*
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> *iphdt = iphd.ip_src;unsigned char* ipsrcp_test = (unsigned char*) &iphdt.ip;unsigned int src_ip_test = (*ipsrcp_test << 24) + (*(ipsrcp_test+1) << 16) + \(*(ipsrcp_test+2) << 8) + *(ipsrcp_test+3); unsigned short int src_port_test = \p->src_port;iphdt = iphd.ip_dst;unsigned char* ipdstp_test = (unsigned char*) &iphdt.ip;unsigned int dst_ip_test = (*ipdstp_test << 24) + (*(ipdstp_test+1) << 16) + \(*(ipdstp_test+2) << 8) + *(ipdstp_test+3); unsigned short int dst_port_test = \p->dst_port; _dpd.logMsg("\tTest: ipsrc%u portsrc%u ipdst%u \portDst%u\n",src_ip_test,src_port_test, dst_ip_test,dst_port_test);*
>>
>>
>> I can not find the correct IP address output (the port numbers are
>> correct) when running ./test.sh (using test.pcap as input)
>>
>>
>>
>>
>>
>>
>> *Test: ipsrc16777216 portsrc12345 ipdst0         portDst8Test:
>> ipsrc16777216 portsrc8 ipdst0     portDst12345Test: ipsrc16777216
>> portsrc12345 ipdst0         portDst80Test: ipsrc16777216 portsrc12345
>> ipdst0         portDst8Test: ipsrc16777216 portsrc8 ipdst0
>> portDst12345Test: ipsrc16777216 portsrc12345 ipdst0         portDst80*
>>
>> The IPsrc should be 10.1.2.3 ...
>> The IPdst should be 10.4.5.6 ...
>>
>> I can not figure out what is wrong. Any help is appreciated.
>>
>> Regards,
>>
>> Luc
>>
>>
>>
>>
>>
>>
>> >>> Zeeuw, L.V. de 07/25/14 9:19 AM >>>
>> Hi Emiliano,
>>
>> thank you! I have tried this and indeed it works fine if I use
>>
>>    IP4Hdr iphd;
>>    sfip_t iphdt;
>>
>> for the declaration.
>>
>> These code snippets are very useful!
>>
>> Regards,
>>
>> Luc
>>
>>
>>
>> >>> Emiliano Fausto <emiliano.fausto at ...2499...> 07/24/14 6:49 PM >>>
>> Hello Luc,
>>
>> I've tried this testing and it works fine:
>>
>>
>> iphdt = iphd.ip_src;
>> unsigned char* ipsrcp_test = (unsigned char*) &iphdt.ip;
>> unsigned int src_ip_test = (*ipsrcp_test << 24) + (*(ipsrcp_test+1) << 16) + (*(ipsrcp_test+2) << 8) + *(ipsrcp_test+3);
>> unsigned short int src_port_test = p->src_port;
>>
>> iphdt = iphd.ip_dst;
>> unsigned char* ipdstp_test = (unsigned char*) &iphdt.ip;
>> unsigned int dst_ip_test = (*ipdstp_test << 24) + (*(ipdstp_test+1) << 16) + (*(ipdstp_test+2) << 8) + *(ipdstp_test+3);
>> unsigned short int dst_port_test = p->dst_port;
>> _dpd.logMsg("\tTest: ipsrc%u portsrc%u ipdst%u portDst%u\n",src_ip_test,src_port_test, dst_ip_test,dst_port_test);
>>
>>
>> Hope it helps,
>> Emiliano.
>>
>>
>> 2014-07-24 10:35 GMT-03:00 Zeeuw, L.V. de <l.v.de.zeeuw at ...3504...>:
>>
>>> Hi,
>>>
>>> i am experimenting with the dpx. Its working. Now i started adding some
>>> statements to view the content ip4/tcp headers. I am able log things like
>>> src/dst, TCP payload size, etc.
>>>
>>>
>>> *SFSnortPacket* p = (SFSnortPacket*)pkt;*
>>>
>>> *_dpd.logMsg("Source port: %i, Destination port: %i\n",p->src_port,
>>> p->dst_port);_dpd.logMsg("Payload size %i\n",p->payload_size); *
>>> but from sf_snort_packet.h and sf_ip.h  (??) i do not know how to log an
>>> ip-address ...
>>>
>>> I should like to ...
>>>
>>>
>>>
>>> *_dpd.logMsg("Source ip %?? \n", ?????);*BTW: Are there any recent
>>> books/tutorials for these kind of questions you would recommend? What about
>>> Snort development documentation for the most recent Snort version?
>>>
>>> Any help is appreciated.
>>>
>>> Regards,
>>>
>>> Luc
>>>
>>> the Netherlands
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> Want fast and easy access to all the code in your enterprise? Index and
>>> search up to 200,000 lines of code with a free copy of Black Duck
>>> Code Sight - the same software that powers the world's largest code
>>> search on Ohloh, the Black Duck Open Hub! Try it now.
>>> http://p.sf.net/sfu/bds
>>> _______________________________________________
>>> Snort-devel mailing list
>>> Snort-devel at lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/snort-devel
>>> Archive:
>>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel
>>>
>>> Please visit http://blog.snort.org for the latest news about Snort!
>>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20140916/17be987c/attachment.html>


More information about the Snort-devel mailing list