[Snort-users] Re: [Snort-devel] ghetto references patch

Martin Roesch roesch at ...421...
Fri Mar 16 22:14:00 EST 2001


Patched and committed.

     -Marty



Brian Caswell wrote:
> 
> Many of you are pissy about my changes to the rules.
> 
> For those of you that are using ghetto output plugins without support
> for references, I've developed the ghetto patch for you.
> 
> This adds a ghetto commandline option to merge references back into the
> msg.
> 
> use "-G" to use this ghetto functionality.
> 
> As you might have guessed, the G is for ghetto.
> 
> -brian
> 
>   ------------------------------------------------------------------------
> Index: rules.c
> ===================================================================
> RCS file: /cvsroot/snort/snort/rules.c,v
> retrieving revision 1.48
> diff -u -r1.48 rules.c
> --- rules.c     2001/03/14 20:07:15     1.48
> +++ rules.c     2001/03/15 22:59:07
> @@ -1555,6 +1555,12 @@
>      OptTreeNode *otn_idx;
>      KeywordXlateList *kw_idx;
> 
> +    ReferenceData *ds_ptr;  /* data struct pointer */
> +    char *newmsg;
> +    char *realmsg;
> +
> +
> +
>      /* set the OTN to the beginning of the list */
>      otn_idx = rtn_tmp->down;
> 
> @@ -1740,8 +1746,40 @@
>              --num_toks;
>              i++;
>          }
> +
> +
> +    if((pv.ghetto_msg_flag) && (otn_tmp != NULL))
> +    {
> +
> +#ifdef DEBUG
> +    printf("Adding ghetto references\n");
> +#endif
> +        ds_ptr = (ReferenceData *)otn_tmp->ds_list[PLUGIN_REFERENCE_NUMBER];
> +
> +        realmsg = calloc(strlen(otn_tmp->message), sizeof(char));
> +        newmsg = calloc(strlen(otn_tmp->message), sizeof(char));
> +        strncat(realmsg, otn_tmp->message, strlen(otn_tmp->message) +1);
> +
> +        while (ds_ptr != NULL)
> +        {
> +            newmsg = calloc(strlen(otn_tmp->message), sizeof(char));
> +            strncat(newmsg, " - ", 3);
> +            strncat(newmsg, ds_ptr->system, strlen(ds_ptr->system) +1);
> +            strncat(newmsg, " ", 1);
> +            strncat(newmsg, ds_ptr->id, strlen(ds_ptr->id) +1);
> +
> +            strncat(realmsg, newmsg, strlen(newmsg) +1);
> +#ifdef DEBUG
> +            printf("Added %s %s : currently %s\n", ds_ptr->id, ds_ptr->system, realmsg);
> +#endif
> +            ds_ptr = ds_ptr->next;
> +        }
> +        strncat(newmsg, otn_tmp->message, strlen(otn_tmp->message) +1);
> +        otn_tmp->message = realmsg;
> +    }
> +
>  #ifdef DEBUG
> -        printf("OptListEnd\n");
> +    printf("OptListEnd\n");
>  #endif
> 
>          AddOptFuncToList(OptListEnd, otn_tmp);
> Index: snort.c
> ===================================================================
> RCS file: /cvsroot/snort/snort/snort.c,v
> retrieving revision 1.75
> diff -u -r1.75 snort.c
> --- snort.c     2001/03/14 22:05:31     1.75
> +++ snort.c     2001/03/15 22:59:08
> @@ -523,6 +523,7 @@
>      fputs("        -e         Display the second layer header info\n", stderr);
>      fputs("        -F <bpf>   Read BPF filters from file <bpf>\n", stderr);
>      fputs("        -g <gname> Run snort gid as <gname> group (or gid) after initialization\n", stderr);
> +    fputs("        -G         Add reference IDs back into MSG.  (Ghetto backwards compatability)", stderr);
>      fputs("        -h <hn>    Home network = <hn>\n", stderr);
>      fputs("        -i <if>    Listen on interface <if>\n", stderr);
>      fputs("        -I         Add Interface name to alert output\n", stderr);
> @@ -598,7 +599,7 @@
> 
>      /* loop through each command line var and process it */
>      while((ch = getopt(argc, argv,
> -            "XL:IOCqS:pNA:m:F:DM:br:xeh:l:dc:n:P:i:vV?aso6u:g:t:Uy")) != -1)
> +            "XL:IOCqS:pNA:m:F:DM:br:xeh:l:dc:n:P:i:GvV?aso6u:g:t:Uy")) != -1)
>      {
>          DebugMessage(DEBUG_INIT, "Processing cmd line switch: %c\n", ch);
>          switch(ch)
> @@ -717,6 +718,14 @@
>                      groupid = gr->gr_gid;
>                  }
>                  break;
> +
> +            case 'G':                /* ghetto backwards compatability msgs */
> +               pv.ghetto_msg_flag = 1;
> +#ifdef DEBUG
> +                printf("Ghetto Messages enabled\n");
> +#endif
> +
> +               break;
> 
>              case 'h':                /* set home network to x, this will help
>                                       * determine what to set logging diectories
> Index: snort.h
> ===================================================================
> RCS file: /cvsroot/snort/snort/snort.h,v
> retrieving revision 1.30
> diff -u -r1.30 snort.h
> --- snort.h     2001/03/14 20:07:15     1.30
> +++ snort.h     2001/03/15 22:59:09
> @@ -200,6 +200,7 @@
>      char *binLogFile;
>      int use_utc;
>      int include_year;
> +    int ghetto_msg_flag;
>  } PV;
> 
>  /* struct to collect packet statistics */

--
Martin Roesch
roesch at ...421...
http://www.snort.org




More information about the Snort-users mailing list