Re: configure snort to drop payloads

["Alex Pinheiro Machado Rodrigues" <alex () bsbnet com>]

Try HogWash.
Alex
Brazil


----- Original Message ----- 
From: "Dr. Richard W. Tibbs" <ccamp () oakcitysolutions com>
To: "James Hoagland" <hoagland () SiliconDefense com>
Cc: "Lyle Sudin" <lylesudin () yahoo com>; <Snort-users () lists sourceforge net>
Sent: Thursday, April 18, 2002 9:48 AM
Subject: Re: [Snort-users] configure snort to drop payloads


Hey, can you identify what .c in the snort distrib you are modifying below?
Thx.

James Hoagland wrote:

> At 6:07 AM -0800 4/2/02, Lyle Sudin wrote:
>
> > Is there an easy way to run snort in packet sniffing
> > mode which will be able to keep up with a 100MB
> > connection, log in tcpdump format, and only log the
> > packet headers?
> >
> > The -b switch seems to keep up with the traffic and
> > not drop packets but includes the payload in addition
> > to the headers.  I need to do all the parsing before
> > writing to disk (both privacy and disk space concerns)
> > so I am looking for either a switch I am missing or
> > code to edit.
>
>
> Lyle,
>
> See the diff below.  I haven't so much as tried to compile this (let 
> alone be sure it works; so use at your own risk) but this might meet 
> your requirement for *no* logging of payload data.  Basically it 
> copies just the header of the packet into a buffer and gives that to 
> libpcap for writing.  It also lies to pcap about the capture length, 
> saying it is just the length of the header.  Right now, this is 
> enabled by a #define; it wouldn't be hard to add it as a command line 
> switch.
>
> Mostly due to needing to make a copy of the header, there is a small 
> performance hit.  If this matters, you can post-process your tcpdump 
> file with this option enabled, rather than running with it 
> originally.  (I am making a conservative assumption about pcap in 
> making a copy of the header.)
>
> Corrections to this code would be welcome.
>
> Hope this helps,
>
>    Jim
>
>
> --- spo_log_tcpdump.c.orig      Wed Apr 17 13:44:03 2002
> +++ spo_log_tcpdump.c   Wed Apr 17 15:25:55 2002
> @@ -38,6 +38,8 @@
>   * First logger...
>   *
>   */
> +
> +#define DONT_LOG_PAYLOAD 1
>
>  /* your output plugin header file goes here */
>  #include "spo_log_tcpdump.h"
> @@ -170,6 +172,14 @@
>
>      if(p)
>      {
> +#if DONT_LOG_PAYLOAD
> +        u_int8_t sanitized_pkt[68];
> +        u_int16_t real_caplen= p->pkth->caplen <= 68 ?
> +                                 p->pkth->caplen : 68;
> +       +        p->pkth->caplen-= p->dsize;
> +#endif       +                if(pv.obfuscation_flag)
>          {
>              if(p->iph != NULL)
> @@ -181,9 +191,23 @@
>
>          data->log_written = 1;
>
> +#if DONT_LOG_PAYLOAD
> +        /* copy just the header over */
> +        if (p->pkt != NULL) { /* in case we get here w/o a pkt */
> +            memcpy(sanitized_pkt,p->pkt,p->pkth->caplen);
> +            pcap_dump((u_char *)data->dumpd,p->pkth,sanitized_pkt);
> +        } else {
> +            /* sizeof(struct pcap_pkthdr) = 16 bytes */
> +            pcap_dump((u_char *)data->dumpd,p->pkth,NULL);
> +        }
> +
> +
> +        p->pkth->caplen= real_caplen; /* restore p->pkth */
> +#else
>          /* sizeof(struct pcap_pkthdr) = 16 bytes */
>          pcap_dump((u_char *)data->dumpd,p->pkth,p->pkt);
> -
> +#endif
> +           if(!pv.line_buffer_flag)
>          {
>              fflush((FILE *)data->dumpd);



_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users