Re: FIX: net/snort
And be super careful about this in anything else which interfaces to bpf or pcap. The pcap people were super uncareful using a machine-dependent structure. > > This diff fixes unified logging/alerting on 64-bit platforms. > > > > http://secure.lv/~nikns/stuff/ports/snort-2.6.0.2p1.diff > ... > > > +--- src/snort_packet_header.h.orig Thu Jan 19 19:09:12 2006 > > src/snort_packet_header.h Tue Nov 7 20:28:12 2006 > > +@@ -16,12 +16,20 @@ > > + #include > > + > > + > > ++/* we must use fixed size of 32 bits, because on-disk > > ++ * format of savefiles uses 32-bit tv_sec (and tv_usec) > > ++ */ > > ++struct pcap_timeval { > > ++u_int32_t tv_sec; /* seconds */ > > ++u_int32_t tv_usec; /* microseconds */ > > ++}; > > ++ > > Use bpf_timeval (see net/bpf.h) which is defined the same way, > don't define your own struct... >
Re: FIX: net/snort
On Sun, Nov 19, 2006 at 12:05:48PM -0700, Peter Valchev wrote: >> This diff fixes unified logging/alerting on 64-bit platforms. >> >> http://secure.lv/~nikns/stuff/ports/snort-2.6.0.2p1.diff >... > >> +--- src/snort_packet_header.h.orig Thu Jan 19 19:09:12 2006 >> src/snort_packet_header.h Tue Nov 7 20:28:12 2006 >> +@@ -16,12 +16,20 @@ >> + #include >> + >> + >> ++/* we must use fixed size of 32 bits, because on-disk >> ++ * format of savefiles uses 32-bit tv_sec (and tv_usec) >> ++ */ >> ++struct pcap_timeval { >> ++u_int32_t tv_sec; /* seconds */ >> ++u_int32_t tv_usec; /* microseconds */ >> ++}; >> ++ > >Use bpf_timeval (see net/bpf.h) which is defined the same way, >don't define your own struct... > This is universal fix, not just for OpenBSD.
Re: FIX: net/snort
> This diff fixes unified logging/alerting on 64-bit platforms. > > http://secure.lv/~nikns/stuff/ports/snort-2.6.0.2p1.diff ... > +--- src/snort_packet_header.h.orig Thu Jan 19 19:09:12 2006 > src/snort_packet_header.hTue Nov 7 20:28:12 2006 > +@@ -16,12 +16,20 @@ > + #include > + > + > ++/* we must use fixed size of 32 bits, because on-disk > ++ * format of savefiles uses 32-bit tv_sec (and tv_usec) > ++ */ > ++struct pcap_timeval { > ++u_int32_t tv_sec; /* seconds */ > ++u_int32_t tv_usec; /* microseconds */ > ++}; > ++ Use bpf_timeval (see net/bpf.h) which is defined the same way, don't define your own struct...
Re: FIX: net/snort
This fixed snort + barnyard on my AMD64 machine. Sorry this report is so late! ddp On 11/7/06, nikns <[EMAIL PROTECTED]> wrote: This diff fixes unified logging/alerting on 64-bit platforms. http://secure.lv/~nikns/stuff/ports/snort-2.6.0.2p1.diff Index: snort/Makefile === RCS file: /cvs/ports/net/snort/Makefile,v retrieving revision 1.49 diff -u -r1.49 Makefile --- snort/Makefile 14 Oct 2006 09:54:04 - 1.49 +++ snort/Makefile 7 Nov 2006 18:35:32 - @@ -3,7 +3,7 @@ COMMENT= "highly flexible sniffer/NIDS" DISTNAME= snort-2.6.0.2 -PKGNAME= ${DISTNAME}p0 +PKGNAME= ${DISTNAME}p1 CATEGORIES=net security MASTER_SITES= ${HOMEPAGE}/dl/current/ Index: snort/patches/patch-src_event_h === RCS file: snort/patches/patch-src_event_h diff -N snort/patches/patch-src_event_h --- /dev/null 1 Jan 1970 00:00:00 - +++ snort/patches/patch-src_event_h 7 Nov 2006 18:35:32 - @@ -0,0 +1,21 @@ +$OpenBSD$ +--- src/event.h.orig Tue Aug 23 18:52:22 2005 src/event.hTue Nov 7 20:28:12 2006 +@@ -34,6 +34,8 @@ + #include + #endif + ++#include "snort_packet_header.h" ++ + typedef struct _Event + { + u_int32_t sig_generator; /* which part of snort generated the alert? */ +@@ -45,7 +47,7 @@ typedef struct _Event + u_int32_t event_reference; /* reference to other events that have gone off, + * such as in the case of tagged packets... + */ +-struct timeval ref_time; /* reference time for the event reference */ ++struct pcap_timeval ref_time; /* reference time for the event reference */ + + /* Don't add to this structure because this is the serialized data + * struct for unified logging. Index: snort/patches/patch-src_output-plugins_spo_unified_c === RCS file: snort/patches/patch-src_output-plugins_spo_unified_c diff -N snort/patches/patch-src_output-plugins_spo_unified_c --- /dev/null 1 Jan 1970 00:00:00 - +++ snort/patches/patch-src_output-plugins_spo_unified_c7 Nov 2006 18:35:32 - @@ -0,0 +1,38 @@ +$OpenBSD$ +--- src/output-plugins/spo_unified.c.orig Fri May 12 20:19:56 2006 src/output-plugins/spo_unified.c Tue Nov 7 20:28:12 2006 +@@ -126,7 +126,7 @@ typedef struct _UnifiedLog + typedef struct _UnifiedAlert + { + Event event; +-struct timeval ts; /* event timestamp */ ++struct pcap_timeval ts;/* event timestamp */ + u_int32_t sip; /* src ip */ + u_int32_t dip; /* dest ip */ + u_int16_t sp; /* src port */ +@@ -551,7 +551,11 @@ void RealUnifiedLogPacketAlert(Packet *p + * this will have to be fixed when we transition to the pa_engine + * code (p->pkth is libpcap specific) + */ +-memcpy(&logheader.pkth, p->pkth, sizeof(SnortPktHeader)); ++logheader.pkth.ts.tv_sec = p->pkth->ts.tv_sec; ++logheader.pkth.ts.tv_usec = p->pkth->ts.tv_usec; ++logheader.pkth.caplen = p->pkth->caplen; ++logheader.pkth.pktlen = p->pkth->len; ++ + } + else + { +@@ -1260,7 +1264,11 @@ void OldUnifiedLogPacketAlert(Packet *p, + { + logheader.flags = p->packet_flags; + +-memcpy(&logheader.pkth, p->pkth, sizeof(SnortPktHeader)); ++logheader.pkth.ts.tv_sec = p->pkth->ts.tv_sec; ++logheader.pkth.ts.tv_usec = p->pkth->ts.tv_usec; ++logheader.pkth.caplen = p->pkth->caplen; ++logheader.pkth.pktlen = p->pkth->len; ++ + + #ifdef GIDS + /* Index: snort/patches/patch-src_snort_packet_header_h === RCS file: snort/patches/patch-src_snort_packet_header_h diff -N snort/patches/patch-src_snort_packet_header_h --- /dev/null 1 Jan 1970 00:00:00 - +++ snort/patches/patch-src_snort_packet_header_h 7 Nov 2006 18:35:32 - @@ -0,0 +1,25 @@ +$OpenBSD$ +--- src/snort_packet_header.h.orig Thu Jan 19 19:09:12 2006 src/snort_packet_header.h Tue Nov 7 20:28:12 2006 +@@ -16,12 +16,20 @@ + #include + + ++/* we must use fixed size of 32 bits, because on-disk ++ * format of savefiles uses 32-bit tv_sec (and tv_usec) ++ */ ++struct pcap_timeval { ++u_int32_t tv_sec; /* seconds */ ++u_int32_t tv_usec; /* microseconds */ ++}; ++ + /* this is equivalent to the pcap pkthdr struct, but we need one for + * portability once we introduce the pa_engine code + */ + typedef struct _SnortPktHeader + { +-struct timeval ts; /* packet timestamp */ ++struct pcap_timeval ts;/* packet timestamp */ + u_int32_t caplen; /* packet capture length */ + u_int32_t pktlen; /* packet "real" length */ + } SnortPktHeader;
FIX: net/snort
This diff fixes unified logging/alerting on 64-bit platforms. http://secure.lv/~nikns/stuff/ports/snort-2.6.0.2p1.diff Index: snort/Makefile === RCS file: /cvs/ports/net/snort/Makefile,v retrieving revision 1.49 diff -u -r1.49 Makefile --- snort/Makefile 14 Oct 2006 09:54:04 - 1.49 +++ snort/Makefile 7 Nov 2006 18:35:32 - @@ -3,7 +3,7 @@ COMMENT= "highly flexible sniffer/NIDS" DISTNAME= snort-2.6.0.2 -PKGNAME= ${DISTNAME}p0 +PKGNAME= ${DISTNAME}p1 CATEGORIES=net security MASTER_SITES= ${HOMEPAGE}/dl/current/ Index: snort/patches/patch-src_event_h === RCS file: snort/patches/patch-src_event_h diff -N snort/patches/patch-src_event_h --- /dev/null 1 Jan 1970 00:00:00 - +++ snort/patches/patch-src_event_h 7 Nov 2006 18:35:32 - @@ -0,0 +1,21 @@ +$OpenBSD$ +--- src/event.h.orig Tue Aug 23 18:52:22 2005 src/event.hTue Nov 7 20:28:12 2006 +@@ -34,6 +34,8 @@ + #include + #endif + ++#include "snort_packet_header.h" ++ + typedef struct _Event + { + u_int32_t sig_generator; /* which part of snort generated the alert? */ +@@ -45,7 +47,7 @@ typedef struct _Event + u_int32_t event_reference; /* reference to other events that have gone off, + * such as in the case of tagged packets... + */ +-struct timeval ref_time; /* reference time for the event reference */ ++struct pcap_timeval ref_time; /* reference time for the event reference */ + + /* Don't add to this structure because this is the serialized data + * struct for unified logging. Index: snort/patches/patch-src_output-plugins_spo_unified_c === RCS file: snort/patches/patch-src_output-plugins_spo_unified_c diff -N snort/patches/patch-src_output-plugins_spo_unified_c --- /dev/null 1 Jan 1970 00:00:00 - +++ snort/patches/patch-src_output-plugins_spo_unified_c7 Nov 2006 18:35:32 - @@ -0,0 +1,38 @@ +$OpenBSD$ +--- src/output-plugins/spo_unified.c.orig Fri May 12 20:19:56 2006 src/output-plugins/spo_unified.c Tue Nov 7 20:28:12 2006 +@@ -126,7 +126,7 @@ typedef struct _UnifiedLog + typedef struct _UnifiedAlert + { + Event event; +-struct timeval ts; /* event timestamp */ ++struct pcap_timeval ts;/* event timestamp */ + u_int32_t sip; /* src ip */ + u_int32_t dip; /* dest ip */ + u_int16_t sp; /* src port */ +@@ -551,7 +551,11 @@ void RealUnifiedLogPacketAlert(Packet *p + * this will have to be fixed when we transition to the pa_engine + * code (p->pkth is libpcap specific) + */ +-memcpy(&logheader.pkth, p->pkth, sizeof(SnortPktHeader)); ++logheader.pkth.ts.tv_sec = p->pkth->ts.tv_sec; ++logheader.pkth.ts.tv_usec = p->pkth->ts.tv_usec; ++logheader.pkth.caplen = p->pkth->caplen; ++logheader.pkth.pktlen = p->pkth->len; ++ + } + else + { +@@ -1260,7 +1264,11 @@ void OldUnifiedLogPacketAlert(Packet *p, + { + logheader.flags = p->packet_flags; + +-memcpy(&logheader.pkth, p->pkth, sizeof(SnortPktHeader)); ++logheader.pkth.ts.tv_sec = p->pkth->ts.tv_sec; ++logheader.pkth.ts.tv_usec = p->pkth->ts.tv_usec; ++logheader.pkth.caplen = p->pkth->caplen; ++logheader.pkth.pktlen = p->pkth->len; ++ + + #ifdef GIDS + /* Index: snort/patches/patch-src_snort_packet_header_h === RCS file: snort/patches/patch-src_snort_packet_header_h diff -N snort/patches/patch-src_snort_packet_header_h --- /dev/null 1 Jan 1970 00:00:00 - +++ snort/patches/patch-src_snort_packet_header_h 7 Nov 2006 18:35:32 - @@ -0,0 +1,25 @@ +$OpenBSD$ +--- src/snort_packet_header.h.orig Thu Jan 19 19:09:12 2006 src/snort_packet_header.h Tue Nov 7 20:28:12 2006 +@@ -16,12 +16,20 @@ + #include + + ++/* we must use fixed size of 32 bits, because on-disk ++ * format of savefiles uses 32-bit tv_sec (and tv_usec) ++ */ ++struct pcap_timeval { ++u_int32_t tv_sec; /* seconds */ ++u_int32_t tv_usec; /* microseconds */ ++}; ++ + /* this is equivalent to the pcap pkthdr struct, but we need one for + * portability once we introduce the pa_engine code + */ + typedef struct _SnortPktHeader + { +-struct timeval ts; /* packet timestamp */ ++struct pcap_timeval ts;/* packet timestamp */ + u_int32_t caplen; /* packet capture length */ + u_int32_t pktlen; /* packet "real" length */ + } SnortPktHeader;