[Snort-users] Incorrect IP Flags Values in database output.

beenph beenph at ...11827...
Wed Aug 17 13:49:38 EDT 2011


On Wed, Aug 17, 2011 at 10:25 AM,  <kareem at ...15353...> wrote:
> Just one last note to make sure that everyone underastands the problem.  The
> problem is not with the schema of the database this time.  The problem is
> with interpertation of the output of decode.c.  The frag_flag element
> actually indicates that a packet is a frament, it does not store the ip
> fragmentation flags.  The output plugin for the database then stuffs the
> frag_flag element into ip_flags in the database.  So the wrong information
> is getting populated into the database field.
>
> Kareem
>

Everything that happen in decode is fine
since all the information you would want is accessible


p->rf = (uint8_t)((p->frag_offset & 0x8000) >> 15);
p->df = (uint8_t)((p->frag_offset & 0x4000) >> 14);
p->mf = (uint8_t)((p->frag_offset & 0x2000) >> 13);

And

ntohs(p->iph->ip_off) which is used to set value of  p->frag_offset.

Mabey you would like to modify spo_database to suit your needs and log
ntohs(p->iph->ip_off); instead of p->frag_flag.

I might be wrong here but what what russ mentionned previously is that
all the main UI's using the schema are espected p->frag_flag value
instead of  ntohs(p->iph->ip_off).

But if you want to use the native flag its there for you to plug in
the code and use.

-elz.




More information about the Snort-users mailing list