Snort mailing list archives
Re: How to log an IP address in dpx.c ?
From: Steven Sturges <ststurge () cisco com>
Date: Mon, 15 Sep 2014 09:27:10 -0400
If you have an sfip_t pointer, look at providing a buffer/length to sfip_ntop() and then
logging that buffer via _dpd.logMsg(). That will handle both IPv4 & IPv6. Cheers. -steve On 9/15/14, 9:11 AM, Emiliano Fausto wrote:
Hello Luc, what if you try with something like this?_dpd.logMsg( "Test: IP: %u.%u.%u.%u PORT: %u\n", (src_ip_test>> 24) & 0xFF, (src_ip_test >> 16) & 0xFF, (src_ip_test >> 8) & 0xFF, (src_ip_test >> 0) & 0xFF,src_port_test); Maybe there's a better way, but hope it helps. Regards, Emiliano.2014-09-15 9:59 GMT-03:00 Zeeuw, L.V. de <l.v.de.zeeuw () hr nl <mailto:l.v.de.zeeuw () hr nl>>:Hi Emiliano, I still trying to log the IP4 source en IP4 destination addresses in dotted decimal format. I was too fast in my opinion that everything worked fine using the code you provided previously. I hope you will help me once again (or anyone else) to figure out what is wrong. When I am adding this code to the dpx.c (from the dpx-1.6.tar.gz) <https://webmail.hro.nl/gw/dpx-1.6.tar.gz%29> just before the last } /IP4Hdr iphd; sfip_t iphdt; / /iphdt = iphd.ip_src; unsigned char* ipsrcp_test = (unsigned char*) &iphdt.ip; unsigned int src_ip_test = (*ipsrcp_test << 24) + (*(ipsrcp_test+1) << 16) + \ (*(ipsrcp_test+2) << 8) + *(ipsrcp_test+3); unsigned short int src_port_test = \ p->src_port; iphdt = iphd.ip_dst; unsigned char* ipdstp_test = (unsigned char*) &iphdt.ip; unsigned int dst_ip_test = (*ipdstp_test << 24) + (*(ipdstp_test+1) << 16) + \ (*(ipdstp_test+2) << 8) + *(ipdstp_test+3); unsigned short int dst_port_test = \ p->dst_port; _dpd.logMsg("\tTest: ipsrc%u portsrc%u ipdst%u \ portDst%u\n",src_ip_test,src_port_test, dst_ip_test,dst_port_test);/ I can not find the correct IP address output (the port numbers are correct) when running ./test.sh (using test.pcap as input) /Test: ipsrc16777216 portsrc12345 ipdst0 portDst8 Test: ipsrc16777216 portsrc8 ipdst0 portDst12345 Test: ipsrc16777216 portsrc12345 ipdst0 portDst80 Test: ipsrc16777216 portsrc12345 ipdst0 portDst8 Test: ipsrc16777216 portsrc8 ipdst0 portDst12345 Test: ipsrc16777216 portsrc12345 ipdst0 portDst80/ The IPsrc should be 10.1.2.3 ... The IPdst should be 10.4.5.6 ... I can not figure out what is wrong. Any help is appreciated. Regards, Luc >>> Zeeuw, L.V. de 07/25/14 9:19 AM >>> Hi Emiliano, thank you! I have tried this and indeed it works fine if I use IP4Hdr iphd; sfip_t iphdt; for the declaration. These code snippets are very useful! Regards, Luc >>> Emiliano Fausto <emiliano.fausto () gmail com <mailto:emiliano.fausto () gmail com>> 07/24/14 6:49 PM >>> Hello Luc, I've tried this testing and it works fine: | iphdt = iphd.ip_src; unsigned char* ipsrcp_test = (unsigned char*) &iphdt.ip; unsigned int src_ip_test = (*ipsrcp_test << 24) + (*(ipsrcp_test+1) << 16) + (*(ipsrcp_test+2) << 8) + *(ipsrcp_test+3); unsigned short int src_port_test = p->src_port; iphdt = iphd.ip_dst; unsigned char* ipdstp_test = (unsigned char*) &iphdt.ip; unsigned int dst_ip_test = (*ipdstp_test << 24) + (*(ipdstp_test+1) << 16) + (*(ipdstp_test+2) << 8) + *(ipdstp_test+3); unsigned short int dst_port_test = p->dst_port; _dpd.logMsg("\tTest: ipsrc%u portsrc%u ipdst%u portDst%u\n",src_ip_test,src_port_test, dst_ip_test,dst_port_test);| Hope it helps, Emiliano. 2014-07-24 10:35 GMT-03:00 Zeeuw, L.V. de <l.v.de.zeeuw () hr nl <mailto:l.v.de.zeeuw () hr nl>>: Hi, i am experimenting with the dpx. Its working. Now i started adding some statements to view the content ip4/tcp headers. I am able log things like src/dst, TCP payload size, etc. /SFSnortPacket* p = (SFSnortPacket*)pkt; ///_dpd.logMsg("Source port: %i, Destination port: %i\n",p->src_port, p->dst_port); /_dpd.logMsg("Payload size %i\n",p->payload_size); / but from sf_snort_packet.h and sf_ip.h (??) i do not know how to log an ip-address ... I should like to ... /_dpd.logMsg("Source ip %*??* \n", *?????*); /BTW: Are there any recent books/tutorials for these kind of questions you would recommend? What about Snort development documentation for the most recent Snort version? Any help is appreciated. Regards, Luc/ /the Netherlands/ / ------------------------------------------------------------------------------ Want fast and easy access to all the code in your enterprise? Index and search up to 200,000 lines of code with a free copy of Black Duck Code Sight - the same software that powers the world's largest code search on Ohloh, the Black Duck Open Hub! Try it now. http://p.sf.net/sfu/bds _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net <mailto:Snort-devel () lists sourceforge net> https://lists.sourceforge.net/lists/listinfo/snort-devel Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel Please visit http://blog.snort.org for the latest news about Snort! ------------------------------------------------------------------------------ Want excitement? Manually upgrade your production database. When you want reliability, choose Perforce Perforce version control. Predictably reliable. http://pubads.g.doubleclick.net/gampad/clk?id=157508191&iu=/4140/ostg.clktrk _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel Please visit http://blog.snort.org for the latest news about Snort!
------------------------------------------------------------------------------ Want excitement? Manually upgrade your production database. When you want reliability, choose Perforce Perforce version control. Predictably reliable. http://pubads.g.doubleclick.net/gampad/clk?id=157508191&iu=/4140/ostg.clktrk
_______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- How to log an IP address in dpx.c ? Zeeuw, L.V. de (Jul 24)
- Re: How to log an IP address in dpx.c ? Emiliano Fausto (Jul 24)
- Re: How to log an IP address in dpx.c ? Zeeuw, L.V. de (Jul 25)
- <Possible follow-ups>
- Re: How to log an IP address in dpx.c ? Zeeuw, L.V. de (Sep 15)
- Re: How to log an IP address in dpx.c ? Emiliano Fausto (Sep 15)
- Re: How to log an IP address in dpx.c ? Zeeuw, L.V. de (Sep 15)
- Re: How to log an IP address in dpx.c ? Steven Sturges (Sep 15)
- Re: How to log an IP address in dpx.c ? Zeeuw, L.V. de (Sep 16)
- Re: How to log an IP address in dpx.c ? Emiliano Fausto (Sep 16)
- Re: How to log an IP address in dpx.c ? Emiliano Fausto (Sep 15)
- Re: How to log an IP address in dpx.c ? Emiliano Fausto (Jul 24)