[Snort-users] Again snort and unixsocket

Fyodor fygrave at ...121...
Sun Nov 25 16:54:02 EST 2001


On Sun, Nov 25, 2001 at 10:47:02PM +0100, TSauter at ...158... wrote:
> 
> Hello snort-users,
> 
> first, thanks for all replies to my previous post. After some probs and
> manuals,
> I've got now the following code:
> 
> <snip>
>         Alertpkt alert;
> 	while((connfd = recvfrom(sockfd, &alert, sizeof(alert), 0,
> 		(struct sockaddr *) &adresse, (socklen_t *) &adrlen)) > 0)
> 	{
> 		Packet *p;
> 		p = (void *)&alert.pkt;
replace this with:
        if (!(alert.val & NOPACKET_STRUCT)) {
            if ((p = calloc(1, sizeof(Packet))) == NULL) {
                perror("calloc");
                exit(1);
            }

            p->pkt = alert.pkt;
            p->pkth = alert.pkth;
            if (alert.dlthdr) p->eh = alert.pkt + alert.dlthdr;
            if (alert.nethdr) p->iph = alert.pkt + alert.nethdr;
            if (alert.transhdr) {
                switch(p->iph->ip_proto) {
                    case IPPROTO_TCP:
                        ip->tcph = alert.pkt + alert.transhdr;
                        break;
                    case IPPROTO_UDP:
                        ip->udph = alert.pkt + alert.transhdr;
                        break;
                    case IPPROTO_ICMP:
                        ip->icmph = alert.pkt + alert.transhdr;
                        break;
                    default:
                        printf("WTF!\n");
                }
            if (alert.data) p->data = alert.pkt + alert.data;
            
            /* now do whatever you want with these packet structures */
        } /* if (!NOPACKET_STRUCT) */
> 
> 		printf("%s [%d]\n", alert.alertmsg, alert.event.event_id);
> 		printf("%d->%d\n", p->sp, p->dp);

        if( p->iph)  {
            printf("from: %s ", inet_ntoa(p->iph-ip_src));
            printf("to: %s\n", inet_ntoa(p->iph-ip_dst));
        }
etc..

> 		fflush(NULL);
> 	}
> </snip>
> 
> infos like ip-addresses or ports. I think all infos should stored in
> "alert.pkt", with is simply an pointer to a Packet-structur (decode.h). But how can I

No, just pure packet captured off the wire + offsets to relevant data
structures are stored. You can't store Packet structure in it, cuz
packet structure has lots of pointers to the data located outside of the
packet structure. So I had to use offsets instead. (and recalc. pointers
in the client code).


hope it helps,
 -Fyodor




More information about the Snort-users mailing list