Snort mailing list archives
snort-flood detection preprocessor
From: Cearns Angela <acearns () yahoo com>
Date: Fri, 2 Aug 2002 15:25:03 -0700 (PDT)
hello group, I sent this mail to the devel group also. I am new to snort. I am working on writing a generic patch for flood detection. i want this to be implemented as a preprocessor plugin( i think this is the right way for flood detection). i am trying to read the packets from the preproc function i registered for the module. on getting the packet i am trying to see the source and destination address. for some strange reason the destination and source address seem to be the same. i am clueless as why this is happening. can u please provide me with the necessary information attached below is a small piece of code along with output and testing method conducted. Thanks, Ang --------------------------------------- void FloodPreprocFunction(Packet * p) { /* Only do processing on IP Packets */ if(p->iph == NULL) { return; } /* * Here we check if it is a protocol we are watching and if it is a * destination we are watching. If either fails, we return abruptly. */ switch(p->iph->ip_proto) { case IPPROTO_TCP: if(p->tcph == NULL) #ifdef DEBUG printf("spp_flood: Got TCP pkt\n"); #endif break; case IPPROTO_UDP: #ifdef DEBUG printf("spp_flood: Got UDP pkt\n"); #endif break; case IPPROTO_ICMP: printf("source address is %s destination is %s\n", inet_ntoa(p->iph->ip_src), inet_ntoa(p->iph->ip_dst)); #ifdef DEBUG printf("spp_flood: Got ICMP pkt\n"); #endif scanType = sICMP; break; default: /* The packet isn't a protocol we watch, so get out of here. */ return; /*** RETURN ***/ break; } } void SetupFlood(void) { RegisterPreprocessor("flood", FloodInit); } void FloodInit(u_char * args) { /* read the flood arguments from the config file */ /* currently borrowed it from spp_portscan.c */ ParseFloodArgs(args); AddFuncToPreprocList(FloodPreprocFunction); } Test ---- ping -f -c 4 abc.cs.edu abc.cs.edu has ip <a.b.c.d> attack host has ip <p.q.r.s> output ------- Version 1.8.6 (Build 105) By Martin Roesch (roesch () sourcefire com, www.snort.org) source address is a.b.c.d destination is a.b.c.d source address is p.q.r.s destination is p.q.r.s source address is a.b.c.d destination is a.b.c.d source address is p.q.r.s destination is p.q.r.s source address is a.b.c.d destination is a.b.c.d source address is p.q.r.s destination is p.q.r.s source address is a.b.c.d destination is a.b.c.d source address is p.q.r.s destination is p.q.r.s __________________________________________________ Do You Yahoo!? Yahoo! Health - Feel better, live better http://health.yahoo.com ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- snort alert -stop working with snort.conf Cearns Angela (Jul 27)
- Re: snort alert -stop working with snort.conf John Sage (Jul 28)
- Re: snort alert -stop working with snort.conf Cearns Angela (Jul 28)
- Re: snort alert -stop working with snort.conf twig les (Jul 29)
- Re: snort alert -stop working with snort.conf David Yip (Jul 29)
- snort-flood detection preprocessor Cearns Angela (Aug 02)
- Re: snort alert -stop working with snort.conf Cearns Angela (Jul 28)
- Re: snort alert -stop working with snort.conf John Sage (Jul 28)