[Snort-users] large numbers of ICMP messages and log analysis

Fyodor fygrave at ...121...
Mon Aug 21 08:17:27 EDT 2000


~ :
~ :Would it make sense for snort to adopt a syslog approach to log entries (and
~ :print messages such as previous packet repeated 10,000 times?) for instances
~ :such as this it could save quite a lot of hassle (and provided that the
~ :payloads where compared no data would be lost).  I haven't looked at the
~ :architecture yet but could this be done by a pre-processor (I suspect not as


No, it would rather be an output plugin, I guess.

f.e.
void somealertfunc(Packet *p, char *msg, void *arg) {

	static alertcnt = 0;
	static char oldmsg[BUFSIZ + 1];
	static u_int32_t oldsrc, olddst;
	static u_int8_t oldproto;
	/* maybe you'd want to verify if portnumbers/icmp type
	   code would be the same as well
         */

	if (!strcmp(oldmsg,msg) && p->iph->ip_src.s_addr == oldsrc &&
	p->iph->ip_dst.s_addr == olddst && p->iph->ip_proto == oldproto) 
        {
		alertcnt++;
		return;
	}
	if (alertcnt != 0) {
		GenerateLogMessage("Previous message repeated %i
		times.\n", alertcnt);
		alertcnt = 0;
	}
	...
	oldsrc = p->iph->ip_src.s_addr;
	olddst = p->iph->ip_dst.s_addr;
	oldproto = p->iph->ip_proto;
	bcopy(msg, oldmsg, BUFSIZ);	
	return;
}

You probably need some flushing mechanism here too, if no messages showed
up within certain period of time, you generate `previous ..' message and
flush stuff. Probably need to hook SIGALRM signal and get the signal
handler to do that.






More information about the Snort-users mailing list