[Snort-users] ghetto references patch

Brian Caswell bmc at ...312...
Thu Mar 15 18:10:12 EST 2001


Many of you are pissy about my changes to the rules. 

For those of you that are using ghetto output plugins without support
for references, I've developed the ghetto patch for you.

This adds a ghetto commandline option to merge references back into the
msg.

use "-G" to use this ghetto functionality.

As you might have guessed, the G is for ghetto.

-brian
-------------- next part --------------
Index: rules.c
===================================================================
RCS file: /cvsroot/snort/snort/rules.c,v
retrieving revision 1.48
diff -u -r1.48 rules.c
--- rules.c	2001/03/14 20:07:15	1.48
+++ rules.c	2001/03/15 22:59:07
@@ -1555,6 +1555,12 @@
     OptTreeNode *otn_idx;
     KeywordXlateList *kw_idx;
 
+    ReferenceData *ds_ptr;  /* data struct pointer */
+    char *newmsg;
+    char *realmsg;
+    
+
+
     /* set the OTN to the beginning of the list */
     otn_idx = rtn_tmp->down;
 
@@ -1740,8 +1746,40 @@
             --num_toks;
             i++;
         }
+
+
+    if((pv.ghetto_msg_flag) && (otn_tmp != NULL))
+    {
+
+#ifdef DEBUG
+    printf("Adding ghetto references\n");
+#endif
+        ds_ptr = (ReferenceData *)otn_tmp->ds_list[PLUGIN_REFERENCE_NUMBER];
+
+        realmsg = calloc(strlen(otn_tmp->message), sizeof(char));
+        newmsg = calloc(strlen(otn_tmp->message), sizeof(char));
+        strncat(realmsg, otn_tmp->message, strlen(otn_tmp->message) +1);
+
+        while (ds_ptr != NULL)
+        {
+            newmsg = calloc(strlen(otn_tmp->message), sizeof(char));
+            strncat(newmsg, " - ", 3);
+            strncat(newmsg, ds_ptr->system, strlen(ds_ptr->system) +1);
+            strncat(newmsg, " ", 1);
+            strncat(newmsg, ds_ptr->id, strlen(ds_ptr->id) +1);
+
+            strncat(realmsg, newmsg, strlen(newmsg) +1);
+#ifdef DEBUG
+            printf("Added %s %s : currently %s\n", ds_ptr->id, ds_ptr->system, realmsg);
+#endif
+            ds_ptr = ds_ptr->next;
+        }
+        strncat(newmsg, otn_tmp->message, strlen(otn_tmp->message) +1); 
+        otn_tmp->message = realmsg;
+    }  
+
 #ifdef DEBUG
-        printf("OptListEnd\n");
+    printf("OptListEnd\n");
 #endif
 
         AddOptFuncToList(OptListEnd, otn_tmp);
Index: snort.c
===================================================================
RCS file: /cvsroot/snort/snort/snort.c,v
retrieving revision 1.75
diff -u -r1.75 snort.c
--- snort.c	2001/03/14 22:05:31	1.75
+++ snort.c	2001/03/15 22:59:08
@@ -523,6 +523,7 @@
     fputs("        -e         Display the second layer header info\n", stderr);
     fputs("        -F <bpf>   Read BPF filters from file <bpf>\n", stderr);
     fputs("        -g <gname> Run snort gid as <gname> group (or gid) after initialization\n", stderr);
+    fputs("        -G         Add reference IDs back into MSG.  (Ghetto backwards compatability)", stderr);
     fputs("        -h <hn>    Home network = <hn>\n", stderr);
     fputs("        -i <if>    Listen on interface <if>\n", stderr);
     fputs("        -I         Add Interface name to alert output\n", stderr);
@@ -598,7 +599,7 @@
 
     /* loop through each command line var and process it */
     while((ch = getopt(argc, argv,
-            "XL:IOCqS:pNA:m:F:DM:br:xeh:l:dc:n:P:i:vV?aso6u:g:t:Uy")) != -1)
+            "XL:IOCqS:pNA:m:F:DM:br:xeh:l:dc:n:P:i:GvV?aso6u:g:t:Uy")) != -1)
     {
         DebugMessage(DEBUG_INIT, "Processing cmd line switch: %c\n", ch);
         switch(ch)
@@ -717,6 +718,14 @@
                     groupid = gr->gr_gid;
                 }
                 break;
+
+            case 'G':                /* ghetto backwards compatability msgs */
+	        pv.ghetto_msg_flag = 1;
+#ifdef DEBUG
+                printf("Ghetto Messages enabled\n");
+#endif
+
+		break;
 
             case 'h':                /* set home network to x, this will help
                                      * determine what to set logging diectories
Index: snort.h
===================================================================
RCS file: /cvsroot/snort/snort/snort.h,v
retrieving revision 1.30
diff -u -r1.30 snort.h
--- snort.h	2001/03/14 20:07:15	1.30
+++ snort.h	2001/03/15 22:59:09
@@ -200,6 +200,7 @@
     char *binLogFile;
     int use_utc;
     int include_year;
+    int ghetto_msg_flag;
 } PV;
 
 /* struct to collect packet statistics */


More information about the Snort-users mailing list