[Snort-users] Incorrect IP Flags Values in database output.
beenph at ...11827...
Wed Aug 17 13:49:38 EDT 2011
On Wed, Aug 17, 2011 at 10:25 AM, <kareem at ...15353...> wrote:
> Just one last note to make sure that everyone underastands the problem. The
> problem is not with the schema of the database this time. The problem is
> with interpertation of the output of decode.c. The frag_flag element
> actually indicates that a packet is a frament, it does not store the ip
> fragmentation flags. The output plugin for the database then stuffs the
> frag_flag element into ip_flags in the database. So the wrong information
> is getting populated into the database field.
Everything that happen in decode is fine
since all the information you would want is accessible
p->rf = (uint8_t)((p->frag_offset & 0x8000) >> 15);
p->df = (uint8_t)((p->frag_offset & 0x4000) >> 14);
p->mf = (uint8_t)((p->frag_offset & 0x2000) >> 13);
ntohs(p->iph->ip_off) which is used to set value of p->frag_offset.
Mabey you would like to modify spo_database to suit your needs and log
ntohs(p->iph->ip_off); instead of p->frag_flag.
I might be wrong here but what what russ mentionned previously is that
all the main UI's using the schema are espected p->frag_flag value
instead of ntohs(p->iph->ip_off).
But if you want to use the native flag its there for you to plug in
the code and use.
More information about the Snort-users