subject:"FIX\: net\/snort"

Re: FIX: net/snort

2006-11-19 Thread Theo de Raadt

And be super careful about this in anything else which interfaces
to bpf or pcap.  The pcap people were super uncareful using a
machine-dependent structure.

> > This diff fixes unified logging/alerting on 64-bit platforms.
> > 
> > http://secure.lv/~nikns/stuff/ports/snort-2.6.0.2p1.diff
> ...
> 
> > +--- src/snort_packet_header.h.orig Thu Jan 19 19:09:12 2006
> >  src/snort_packet_header.h  Tue Nov  7 20:28:12 2006
> > +@@ -16,12 +16,20 @@
> > + #include 
> > + 
> > + 
> > ++/* we must use fixed size of 32 bits, because on-disk
> > ++ * format of savefiles uses 32-bit tv_sec (and tv_usec)
> > ++ */
> > ++struct pcap_timeval {
> > ++u_int32_t tv_sec;  /* seconds */
> > ++u_int32_t tv_usec; /* microseconds */
> > ++};
> > ++
> 
> Use bpf_timeval (see net/bpf.h) which is defined the same way,
> don't define your own struct...
>

Re: FIX: net/snort

2006-11-19 Thread nikns

On Sun, Nov 19, 2006 at 12:05:48PM -0700, Peter Valchev wrote:
>> This diff fixes unified logging/alerting on 64-bit platforms.
>> 
>> http://secure.lv/~nikns/stuff/ports/snort-2.6.0.2p1.diff
>...
>
>> +--- src/snort_packet_header.h.orig  Thu Jan 19 19:09:12 2006
>>  src/snort_packet_header.h   Tue Nov  7 20:28:12 2006
>> +@@ -16,12 +16,20 @@
>> + #include 
>> + 
>> + 
>> ++/* we must use fixed size of 32 bits, because on-disk
>> ++ * format of savefiles uses 32-bit tv_sec (and tv_usec)
>> ++ */
>> ++struct pcap_timeval {
>> ++u_int32_t tv_sec;  /* seconds */
>> ++u_int32_t tv_usec; /* microseconds */
>> ++};
>> ++
>
>Use bpf_timeval (see net/bpf.h) which is defined the same way,
>don't define your own struct...
>

This is universal fix, not just for OpenBSD.

Re: FIX: net/snort

2006-11-19 Thread Peter Valchev

> This diff fixes unified logging/alerting on 64-bit platforms.
> 
> http://secure.lv/~nikns/stuff/ports/snort-2.6.0.2p1.diff
...

> +--- src/snort_packet_header.h.orig   Thu Jan 19 19:09:12 2006
>  src/snort_packet_header.hTue Nov  7 20:28:12 2006
> +@@ -16,12 +16,20 @@
> + #include 
> + 
> + 
> ++/* we must use fixed size of 32 bits, because on-disk
> ++ * format of savefiles uses 32-bit tv_sec (and tv_usec)
> ++ */
> ++struct pcap_timeval {
> ++u_int32_t tv_sec;  /* seconds */
> ++u_int32_t tv_usec; /* microseconds */
> ++};
> ++

Use bpf_timeval (see net/bpf.h) which is defined the same way,
don't define your own struct...

Re: FIX: net/snort

2006-11-18 Thread ddp


This fixed snort + barnyard on my AMD64 machine.
Sorry this report is so late!
ddp

On 11/7/06, nikns <[EMAIL PROTECTED]> wrote:


This diff fixes unified logging/alerting on 64-bit platforms.

http://secure.lv/~nikns/stuff/ports/snort-2.6.0.2p1.diff

Index: snort/Makefile
===
RCS file: /cvs/ports/net/snort/Makefile,v
retrieving revision 1.49
diff -u -r1.49 Makefile
--- snort/Makefile  14 Oct 2006 09:54:04 -  1.49
+++ snort/Makefile  7 Nov 2006 18:35:32 -
@@ -3,7 +3,7 @@
COMMENT=   "highly flexible sniffer/NIDS"

DISTNAME=  snort-2.6.0.2
-PKGNAME=   ${DISTNAME}p0
+PKGNAME=   ${DISTNAME}p1
CATEGORIES=net security
MASTER_SITES=  ${HOMEPAGE}/dl/current/

Index: snort/patches/patch-src_event_h
===
RCS file: snort/patches/patch-src_event_h
diff -N snort/patches/patch-src_event_h
--- /dev/null   1 Jan 1970 00:00:00 -
+++ snort/patches/patch-src_event_h 7 Nov 2006 18:35:32 -
@@ -0,0 +1,21 @@
+$OpenBSD$
+--- src/event.h.orig   Tue Aug 23 18:52:22 2005
 src/event.hTue Nov  7 20:28:12 2006
+@@ -34,6 +34,8 @@
+ #include 
+ #endif
+
++#include "snort_packet_header.h"
++
+ typedef struct _Event
+ {
+ u_int32_t sig_generator;   /* which part of snort generated the
alert? */
+@@ -45,7 +47,7 @@ typedef struct _Event
+ u_int32_t event_reference; /* reference to other events that have
gone off,
+ * such as in the case of tagged
packets...
+ */
+-struct timeval ref_time;   /* reference time for the event reference
*/
++struct pcap_timeval ref_time;   /* reference time for the event
reference */
+
+ /* Don't add to this structure because this is the serialized data
+  * struct for unified logging.
Index: snort/patches/patch-src_output-plugins_spo_unified_c
===
RCS file: snort/patches/patch-src_output-plugins_spo_unified_c
diff -N snort/patches/patch-src_output-plugins_spo_unified_c
--- /dev/null   1 Jan 1970 00:00:00 -
+++ snort/patches/patch-src_output-plugins_spo_unified_c7 Nov 2006
18:35:32 -
@@ -0,0 +1,38 @@
+$OpenBSD$
+--- src/output-plugins/spo_unified.c.orig  Fri May 12 20:19:56 2006
 src/output-plugins/spo_unified.c   Tue Nov  7 20:28:12 2006
+@@ -126,7 +126,7 @@ typedef struct _UnifiedLog
+ typedef struct _UnifiedAlert
+ {
+ Event event;
+-struct timeval ts; /* event timestamp */
++struct pcap_timeval ts;/* event timestamp */
+ u_int32_t sip; /* src ip */
+ u_int32_t dip; /* dest ip */
+ u_int16_t sp;  /* src port */
+@@ -551,7 +551,11 @@ void RealUnifiedLogPacketAlert(Packet *p
+  * this will have to be fixed when we transition to the
pa_engine
+  * code (p->pkth is libpcap specific)
+  */
+-memcpy(&logheader.pkth, p->pkth, sizeof(SnortPktHeader));
++logheader.pkth.ts.tv_sec = p->pkth->ts.tv_sec;
++logheader.pkth.ts.tv_usec = p->pkth->ts.tv_usec;
++logheader.pkth.caplen = p->pkth->caplen;
++logheader.pkth.pktlen = p->pkth->len;
++
+ }
+ else
+ {
+@@ -1260,7 +1264,11 @@ void OldUnifiedLogPacketAlert(Packet *p,
+ {
+ logheader.flags = p->packet_flags;
+
+-memcpy(&logheader.pkth, p->pkth, sizeof(SnortPktHeader));
++logheader.pkth.ts.tv_sec = p->pkth->ts.tv_sec;
++logheader.pkth.ts.tv_usec = p->pkth->ts.tv_usec;
++logheader.pkth.caplen = p->pkth->caplen;
++logheader.pkth.pktlen = p->pkth->len;
++
+
+ #ifdef GIDS
+ /*
Index: snort/patches/patch-src_snort_packet_header_h
===
RCS file: snort/patches/patch-src_snort_packet_header_h
diff -N snort/patches/patch-src_snort_packet_header_h
--- /dev/null   1 Jan 1970 00:00:00 -
+++ snort/patches/patch-src_snort_packet_header_h   7 Nov 2006
18:35:32 -
@@ -0,0 +1,25 @@
+$OpenBSD$
+--- src/snort_packet_header.h.orig Thu Jan 19 19:09:12 2006
 src/snort_packet_header.h  Tue Nov  7 20:28:12 2006
+@@ -16,12 +16,20 @@
+ #include 
+
+
++/* we must use fixed size of 32 bits, because on-disk
++ * format of savefiles uses 32-bit tv_sec (and tv_usec)
++ */
++struct pcap_timeval {
++u_int32_t tv_sec;  /* seconds */
++u_int32_t tv_usec; /* microseconds */
++};
++
+ /* this is equivalent to the pcap pkthdr struct, but we need one for
+  * portability once we introduce the pa_engine code
+  */
+ typedef struct _SnortPktHeader
+ {
+-struct timeval ts; /* packet timestamp */
++struct pcap_timeval ts;/* packet timestamp */
+ u_int32_t caplen;  /* packet capture length */
+ u_int32_t pktlen;  /* packet "real" length */
+ } SnortPktHeader;

FIX: net/snort

2006-11-07 Thread nikns

This diff fixes unified logging/alerting on 64-bit platforms.

http://secure.lv/~nikns/stuff/ports/snort-2.6.0.2p1.diff

Index: snort/Makefile
===
RCS file: /cvs/ports/net/snort/Makefile,v
retrieving revision 1.49
diff -u -r1.49 Makefile
--- snort/Makefile  14 Oct 2006 09:54:04 -  1.49
+++ snort/Makefile  7 Nov 2006 18:35:32 -
@@ -3,7 +3,7 @@
 COMMENT=   "highly flexible sniffer/NIDS"
 
 DISTNAME=  snort-2.6.0.2
-PKGNAME=   ${DISTNAME}p0
+PKGNAME=   ${DISTNAME}p1
 CATEGORIES=net security
 MASTER_SITES=  ${HOMEPAGE}/dl/current/
 
Index: snort/patches/patch-src_event_h
===
RCS file: snort/patches/patch-src_event_h
diff -N snort/patches/patch-src_event_h
--- /dev/null   1 Jan 1970 00:00:00 -
+++ snort/patches/patch-src_event_h 7 Nov 2006 18:35:32 -
@@ -0,0 +1,21 @@
+$OpenBSD$
+--- src/event.h.orig   Tue Aug 23 18:52:22 2005
 src/event.hTue Nov  7 20:28:12 2006
+@@ -34,6 +34,8 @@
+ #include 
+ #endif
+ 
++#include "snort_packet_header.h"
++
+ typedef struct _Event
+ {
+ u_int32_t sig_generator;   /* which part of snort generated the alert? */
+@@ -45,7 +47,7 @@ typedef struct _Event
+ u_int32_t event_reference; /* reference to other events that have gone 
off,
+ * such as in the case of tagged packets...
+ */
+-struct timeval ref_time;   /* reference time for the event reference */
++struct pcap_timeval ref_time;   /* reference time for the event reference 
*/
+ 
+ /* Don't add to this structure because this is the serialized data
+  * struct for unified logging.
Index: snort/patches/patch-src_output-plugins_spo_unified_c
===
RCS file: snort/patches/patch-src_output-plugins_spo_unified_c
diff -N snort/patches/patch-src_output-plugins_spo_unified_c
--- /dev/null   1 Jan 1970 00:00:00 -
+++ snort/patches/patch-src_output-plugins_spo_unified_c7 Nov 2006 
18:35:32 -
@@ -0,0 +1,38 @@
+$OpenBSD$
+--- src/output-plugins/spo_unified.c.orig  Fri May 12 20:19:56 2006
 src/output-plugins/spo_unified.c   Tue Nov  7 20:28:12 2006
+@@ -126,7 +126,7 @@ typedef struct _UnifiedLog
+ typedef struct _UnifiedAlert
+ {
+ Event event;
+-struct timeval ts; /* event timestamp */
++struct pcap_timeval ts;/* event timestamp */
+ u_int32_t sip; /* src ip */
+ u_int32_t dip; /* dest ip */
+ u_int16_t sp;  /* src port */
+@@ -551,7 +551,11 @@ void RealUnifiedLogPacketAlert(Packet *p
+  * this will have to be fixed when we transition to the pa_engine
+  * code (p->pkth is libpcap specific)
+  */ 
+-memcpy(&logheader.pkth, p->pkth, sizeof(SnortPktHeader));
++logheader.pkth.ts.tv_sec = p->pkth->ts.tv_sec;
++logheader.pkth.ts.tv_usec = p->pkth->ts.tv_usec;
++logheader.pkth.caplen = p->pkth->caplen;
++logheader.pkth.pktlen = p->pkth->len;
++
+ }
+ else
+ {
+@@ -1260,7 +1264,11 @@ void OldUnifiedLogPacketAlert(Packet *p,
+ {
+ logheader.flags = p->packet_flags;
+ 
+-memcpy(&logheader.pkth, p->pkth, sizeof(SnortPktHeader));
++logheader.pkth.ts.tv_sec = p->pkth->ts.tv_sec;
++logheader.pkth.ts.tv_usec = p->pkth->ts.tv_usec;
++logheader.pkth.caplen = p->pkth->caplen;
++logheader.pkth.pktlen = p->pkth->len;
++
+ 
+ #ifdef GIDS
+ /*
Index: snort/patches/patch-src_snort_packet_header_h
===
RCS file: snort/patches/patch-src_snort_packet_header_h
diff -N snort/patches/patch-src_snort_packet_header_h
--- /dev/null   1 Jan 1970 00:00:00 -
+++ snort/patches/patch-src_snort_packet_header_h   7 Nov 2006 18:35:32 
-
@@ -0,0 +1,25 @@
+$OpenBSD$
+--- src/snort_packet_header.h.orig Thu Jan 19 19:09:12 2006
 src/snort_packet_header.h  Tue Nov  7 20:28:12 2006
+@@ -16,12 +16,20 @@
+ #include 
+ 
+ 
++/* we must use fixed size of 32 bits, because on-disk
++ * format of savefiles uses 32-bit tv_sec (and tv_usec)
++ */
++struct pcap_timeval {
++u_int32_t tv_sec;  /* seconds */
++u_int32_t tv_usec; /* microseconds */
++};
++
+ /* this is equivalent to the pcap pkthdr struct, but we need one for
+  * portability once we introduce the pa_engine code 
+  */
+ typedef struct _SnortPktHeader
+ {
+-struct timeval ts; /* packet timestamp */
++struct pcap_timeval ts;/* packet timestamp */
+ u_int32_t caplen;  /* packet capture length */
+ u_int32_t pktlen;  /* packet "real" length */
+ } SnortPktHeader;

Re: FIX: net/snort

Re: FIX: net/snort

Re: FIX: net/snort

Re: FIX: net/snort

FIX: net/snort

5 matches

Site Navigation

Mail list logo

Footer information