[Snort-users] Problems with TOS

Martin Roesch roesch at ...421...
Sun Jan 7 01:52:29 EST 2001


Here's the fix:

--- sp_ip_tos_check_old.c       Sun Jan  7 01:49:46 2001
+++ sp_ip_tos_check.c   Sun Jan  7 01:50:09 2001
@@ -134,7 +134,7 @@
         return 0; /* if error occured while ip header
                    * was processed, return 0 automagically.
                */
-    if(((IpTosData *)otn->ds_list[PLUGIN_IP_TOS_CHECK])->ip_tos == ntohs(p->
->ip_tos))
+    if(((IpTosData *)otn->ds_list[PLUGIN_IP_TOS_CHECK])->ip_tos == p->iph->i
os)
     {
         /* call the next function in the function list recursively */
         return fp_list->next->OptTestFunc(p, otn, fp_list->next);


This will be committed to CVS momentarily.


     -Marty


Ofir Arkin wrote:
> 
> Tried that already.
> Tried using 24 decimal equal to hex 18.
> 
> Nothing...
> 
> I was curious, I got match only between 0-10.
> 
> Ofir
> 
> -----Original Message-----
> From: snort-users-admin at lists.sourceforge.net
> [mailto:snort-users-admin at lists.sourceforge.net]On Behalf Of Paul Cardon
> Sent: Saturday, January 06, 2001 7:07 AM
> To: Ofir Arkin
> Cc: Snort-Users
> Subject: Re: [Snort-users] Problems with TOS
> 
> Ofir Arkin wrote:
> >
> > In which format the tos value should be in with?
> > Hex, Decimal?
> >
> > I just have trouble matching it with a very basic rule:
> >
> > alert icmp any any -> any any (msg:"TOS Check"; tos: 24;)
> 
> The tos plugin performs an atoi() on the tos argument so it needs to be
> specified as a decimal value.
> 
> -paul
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/mailman/listinfo/snort-users
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/mailman/listinfo/snort-users

-- 
Martin Roesch
roesch at ...421...
http://www.snort.org




More information about the Snort-users mailing list