[Snort-users] Snort patch

Andrew R. Baker andrewb at ...1150...
Mon Jan 15 21:11:59 EST 2001


Attached is a patch to the snort 1.7 source.  It adds two features and
cleans up some 
output issues.

New Features:
	output timestamps in UTC.  This is enabled with the '-U' commandline
option.
	allow absolute paths in the tcpdump log plugin.

Output issues:
	ErrorMessage and LogMessage appear to make an improper syslog call
(LOG_CONS 
		will colide with the priority bits and can only be used in an openlog
call)
	Portscan preprocessor was call the packet logging facilities without a
packet, 
		this generated calls to ErrorMessage from the tcpdump log plugin.

-A
-------------- next part --------------
diff -durN snort-1.7.orig/plugbase.c snort-1.7/plugbase.c
--- snort-1.7.orig/plugbase.c	Tue Jan  2 00:06:00 2001
+++ snort-1.7/plugbase.c	Fri Jan 12 15:43:21 2001
@@ -895,7 +895,10 @@
 
     buf = (char *)malloc(SMALLBUFFER);
 
-    time = localtime(tv_sec);
+    if(pv.use_utc == 1)
+        time = gmtime(tv_sec);
+    else
+        time = localtime(tv_sec);
 
     if(tz < 0)
         snprintf(buf, SMALLBUFFER, "%04i-%02i-%02i %02i:%02i:%02i%03i", 1900 + time->tm_year, time->tm_mon + 1, time->tm_mday, time->tm_hour, time->tm_min, time->tm_sec, tz);
@@ -952,15 +955,30 @@
     bzero((char *)&tz,sizeof(tz));
     gettimeofday(&tv,&tz);
     tvp = &tv;
-    lt = localtime((time_t *)&tvp->tv_sec);
+	if(pv.use_utc == 1)
+	{
+		lt = gmtime((time_t *)&tvp->tv_sec);
+       	snprintf(buf, SMALLBUFFER, "%04i-%02i-%02i %02i:%02i:%02i", 
+				1900 + lt->tm_year, lt->tm_mon + 1, lt->tm_mday, 
+				lt->tm_hour, lt->tm_min, lt->tm_sec);
+	}
+	else
+	{
+    	lt = localtime((time_t *)&tvp->tv_sec);
 
-    tzone = GetLocalTimezone();
+    	tzone = GetLocalTimezone();
 
-    if(tzone < 0)
-        snprintf(buf, SMALLBUFFER, "%04i-%02i-%02i %02i:%02i:%02i%03i", 1900 + lt->tm_year, lt->tm_mon + 1, lt->tm_mday, lt->tm_hour, lt->tm_min, lt->tm_sec, tzone);
-    else
-        snprintf(buf, SMALLBUFFER, "%04i-%02i-%02i %02i:%02i:%02i+%02i", 1900 + lt->tm_year, lt->tm_mon + 1, lt->tm_mday, lt->tm_hour, lt->tm_min, lt->tm_sec, tzone);
+    	if(tzone < 0)
+        	snprintf(buf, SMALLBUFFER, "%04i-%02i-%02i %02i:%02i:%02i%03i", 
+					1900 + lt->tm_year, lt->tm_mon + 1, lt->tm_mday, 
+					lt->tm_hour, lt->tm_min, lt->tm_sec, tzone);
+    	else
+        	snprintf(buf, SMALLBUFFER, "%04i-%02i-%02i %02i:%02i:%02i+%02i", 
+					1900 + lt->tm_year, lt->tm_mon + 1, lt->tm_mday, 
+					lt->tm_hour, lt->tm_min, lt->tm_sec, tzone);
+	}
 
+	ErrorMessage("%s\n", buf);
     return buf;
 }
 
diff -durN snort-1.7.orig/snort.c snort-1.7/snort.c
--- snort-1.7.orig/snort.c	Fri Jan  5 00:37:08 2001
+++ snort-1.7/snort.c	Mon Jan 15 17:53:54 2001
@@ -110,8 +110,7 @@
     /* set the default alert mode */
     pv.alert_mode = ALERT_FULL;
 
-    /* set the timezone (ripped from tcpdump) */
-    thiszone = gmt2local(0);
+    pv.use_utc = 0;
 
     /*
      * provide (limited) status messages by default
@@ -127,6 +126,16 @@
     /* chew up the command line */
     ParseCmdLine(argc, argv);
 
+    if(pv.use_utc == 1)
+    {
+        thiszone = 0;
+    }
+    else
+    {
+        /* set the timezone (ripped from tcpdump) */
+        thiszone = gmt2local(0);
+    }
+
     /*
      * make sure we've got the privs to continue
      */
@@ -517,6 +526,7 @@
     fputs("        -S <n=v>   Set rules file variable n equal to value v\n", stderr);
     fputs("        -t <dir>   Chroots process to <dir> after initialization\n", stderr);
     fputs("        -u <uname> Run snort uid as <uname> user (or uid) after initialization\n", stderr);
+    fputs("        -U         Use UTC for timestamps\n", stderr);
     fputs("        -v         Be verbose\n", stderr);
     fputs("        -V         Show version number\n", stderr);
     fputs("        -X         Dump the raw packet data starting at the link layer\n", stderr);
@@ -567,7 +577,7 @@
 
     /* loop through each command line var and process it */
     while((ch = getopt(argc, argv,
-                       "XL:IOCqS:pNA:F:DM:br:xeh:l:dc:n:P:i:vV?aso6u:g:t:")) != -1)
+            "XL:IOCqS:pNA:F:DM:br:xeh:l:dc:n:P:i:vV?aso6u:g:t:U")) != -1)
     {
 #ifdef DEBUG
         printf("Processing cmd line switch: %c\n", ch);
@@ -879,6 +889,10 @@
 #endif
                 break;
 
+            case 'U':               /* use UTC */
+                pv.use_utc = 1;
+                break;
+
             case 'v':                /* be verbose */
                 pv.verbose_flag = 1;
 #ifdef DEBUG
@@ -2183,7 +2197,7 @@
     if(pv.daemon_flag)
     {
         vsprintf(buf, format, ap);
-        syslog(LOG_CONS | LOG_DAEMON | LOG_ERR, "%s", buf);
+        syslog(LOG_DAEMON | LOG_ERR, "%s", buf);
     }
     else
     {
@@ -2211,7 +2225,7 @@
     if(pv.daemon_flag)
     {
         vsprintf(buf, format, ap);
-        syslog(LOG_CONS | LOG_DAEMON | LOG_NOTICE, "%s", buf);
+        syslog(LOG_DAEMON | LOG_NOTICE, "%s", buf);
     }
     else
     {
diff -durN snort-1.7.orig/snort.h snort-1.7/snort.h
--- snort-1.7.orig/snort.h	Thu Jan  4 22:12:08 2001
+++ snort-1.7/snort.h	Tue Jan  9 12:51:11 2001
@@ -171,6 +171,7 @@
     char *pcap_cmd;
     char *alert_filename;
     char *binLogFile;
+    int use_utc;
 } PV;
 
 /* struct to collect packet statistics */
diff -durN snort-1.7.orig/spo_log_tcpdump.c snort-1.7/spo_log_tcpdump.c
--- snort-1.7.orig/spo_log_tcpdump.c	Fri Jan  5 08:21:18 2001
+++ snort-1.7/spo_log_tcpdump.c	Mon Jan  8 02:31:09 2001
@@ -135,8 +135,10 @@
     if(args != NULL)
     {
         while(isspace((int)*args)) args++;
-
-        data->filename = strdup(args);
+        if(strcmp(args, "") != 0)
+            data->filename = strdup(args);
+        else
+            data->filename = strdup("snort.log");
     }
     else
     {
@@ -194,6 +196,7 @@
     struct tm *loc_time;   /* place to stick the adjusted clock data */
     char timebuf[10];
     char logdir[STD_BUF];
+    int value;
 
     bzero(logdir, STD_BUF);
     bzero(timebuf, 10);
@@ -201,14 +204,16 @@
     loc_time = localtime(&curr_time);
     strftime(timebuf,91,"%m%d@%H%M",loc_time);
 
-    if((strlen(data->filename) + 2 + strlen(pv.log_dir)
-        + strlen(chrootdir == NULL ? "" : chrootdir) + strlen(timebuf)) > STD_BUF)
-    {
-        FatalError("ERROR: log file logging path and file name are too long, aborting!\n");
-    }
+    if(data->filename[0] == '/')
+        value = snprintf(logdir, STD_BUF, "%s%s", 
+                chrootdir == NULL ? "" : chrootdir, data->filename);
+    else
+        value = snprintf(logdir, STD_BUF, "%s%s/%s-%s",
+               chrootdir == NULL ? "" : chrootdir, pv.log_dir, timebuf, 
+               data->filename);
 
-    sprintf(logdir, "%s%s/%s-%s",
-           chrootdir == NULL ? "" : chrootdir, pv.log_dir, timebuf, data->filename);
+	if(value == -1)
+        FatalError("ERROR: log file logging path and file name are too long, aborting!\n");
 
 #ifdef DEBUG
     printf("Opening %s\n", logdir);
@@ -216,7 +221,7 @@
 
     if((data->dumpd=pcap_dump_open(pd,logdir)) == NULL)
     {
-        FatalError("log_tcpdump TcpdumpInitLogFile(): %s", strerror(errno));
+        FatalError("log_tcpdump TcpdumpInitLogFile(): %s\n", strerror(errno));
     }
 
     /* keep a copy of the filename for later reference */
diff -durN snort-1.7.orig/spp_portscan.c snort-1.7/spp_portscan.c
--- snort-1.7.orig/spp_portscan.c	Tue Jan  2 00:06:01 2001
+++ snort-1.7/spp_portscan.c	Fri Jan 12 15:44:46 2001
@@ -951,7 +951,7 @@
                 }
                 /* (*AlertFunc)(NULL, logMessage); */
                 CallAlertFuncs(NULL , logMessage, NULL);
-                CallLogFuncs(NULL , logMessage, NULL);
+                /* CallLogFuncs(NULL , logMessage, NULL); */
                 scanList->lastSource->scanDetected = 1;
                 scanList->lastSource->reportTime = currTime;
             }
@@ -976,7 +976,7 @@
                                 (currentSource->reportStealth) ? " STEALTH" : "");
                         /* (*AlertFunc)(NULL, logMessage); */
                         CallAlertFuncs(NULL , logMessage, NULL);
-                        CallLogFuncs(NULL , logMessage, NULL);
+                        /* CallLogFuncs(NULL , logMessage, NULL); */
                         currentSource->scanDetected = 0;
                     }
                     else
@@ -1324,9 +1324,17 @@
      * packet contents.
      */
     packetLogSize = 100;
+	if(pv.use_utc == 1)
+	{
+		timeFormat = tGMT;
+		printf("Using GMT time\n");
+	}
+	else
+	{
+    	timeFormat = tLOCAL;
+		printf("Using LOCAL time\n");
+	}
 
-    timeFormat = tLOCAL;    /* Alternatively, you can do tGMT (should be
-                 * runtime setting) */
 }
 
 
@@ -1497,7 +1505,7 @@
             (currentSource->stealthScanUsed) ? " STEALTH" : "");
     /* (*AlertFunc)(NULL, logMessage); */
     CallAlertFuncs(NULL, logMessage, NULL);
-    CallLogFuncs(NULL, logMessage, NULL);
+    /* CallLogFuncs(NULL, logMessage, NULL); */
 }
 
 


More information about the Snort-users mailing list