barnyard problem dotted quad backwards or corrupted?

["Michael Scheidell" <security () fdma com>]

I have the CSV barnyard as of march 30th and have a problem with the CSV
plugin;
I used snort 1.8.6, WITH AND WITHOUT the spo_unified.c patch. and can't seem
to get the output I expected.

WITH the patch, and using barnyard.conf lines:
 proto,timestamp,srcip,sport,dstip,dport,sig_id

I expected:
6,"2002-04-10 16:10:54",172.18.92.26,2349,192.168.3.5,80,1002
but got:

6,"2002-04-10 16:10:54",0.0.172.18,2349,0.0.192.168,80,1002
(note leading 0.0 ?


problem is patch:
patch is
--- ../../../snort-1.8/spo_unified.c    Tue Mar 26 12:52:19 2002
+++ spo_unified.c       Tue Mar 26 13:33:17 2002
@@ -482,8 +477,8 @@

         if(p->iph != NULL)
         {
-            alertdata.sip = p->iph->ip_src.s_addr;
-            alertdata.dip = p->iph->ip_dst.s_addr;
+            alertdata.sip = ntohs(p->iph->ip_src.s_addr);
+            alertdata.dip = ntohs(p->iph->ip_dst.s_addr);
             if(p->iph->ip_proto == IPPROTO_ICMP)
             {
                 if(p->icmph != NULL)


patch SHOULD BE (at least on 32 bit FREEBSD 4.5)

--- ../../../snort-1.8/spo_unified.c    Tue Mar 26 12:52:19 2002
+++ spo_unified.c       Tue Mar 26 13:33:17 2002
@@ -482,8 +477,8 @@

         if(p->iph != NULL)
         {
-            alertdata.sip = p->iph->ip_src.s_addr;
-            alertdata.dip = p->iph->ip_dst.s_addr;
+            alertdata.sip = ntohl(p->iph->ip_src.s_addr);
+            alertdata.dip = ntohl(p->iph->ip_dst.s_addr);
             if(p->iph->ip_proto == IPPROTO_ICMP)
             {
                 if(p->icmph != NULL)


--
Michael Scheidell


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users