#17 fragments and other minor issues in base_qry_alert.php

closed-accepted
nobody
None
5
2006-09-02
2006-07-23
Juergen Leising
No

Hello,

1. Sensor parameter "interface" can become
an empty string, when the interface of
this sensor changes. Therefore I have
added "_NONE".

2. ip_flags doesn't say anything about the
DF-flag and the MF-flag. It is taken
from p->frag_flag, which only indicates
whether or not the packet is fragmented.
Hence I replaced "DF" and "MF" by "fragment".

Cf. snort-2.6.0/src/decode.h
snort-2.6.0/src/decode.c

3. I have tried to fix the IP fragmentation
offset field. Now this field is in line
with what ethereal shows to me.

4. I have added a hex representation to the IP,
TCP and ICMP checksums in order to make it
easier to compare them with ethereal.

5. I have added base64 support for IP options
and for TCP options.

Cf. snort-2.6.0/src/output-plugins/spo_database.c

6. I have corrected a variable name in a
debug block: $encoding

7. I have removed the special sfportscan MAC
address containing ASCII codes for "MACDAD"
from being displayed, as one can mix up
those codes with real MAC addresses.

8. I have turned TCP offset from 32 bit words
into bytes, cf. RFC 793, 3.1 (= p. 16).
Now one can check more easily whether
or not IP header length plus offset is
equal to the length claimed by the field
IP length.

The patch has been generated by

diff -Nur base_qry_alert.php.orig base_qry_alert.php >
/tmp/base_qry_alert.php.diff

Bye, bye,

Juergen

Discussion

  • Logged In: YES
    user_id=1341286

    Hello,

    referring to my last posting:

    9. I changed the url of the "...Clear..."
    hyperlink, when a single alert is displayed.
    With the original url I got an
    "Invalid (sid,cid) pair (,)" error message on
    clicking at "...Clear...".

    10. And of course there is no snort-2.6.10 out there.
    Should have been 2.6.0. My fault.

    Now the patch has been made against base-1.2.6 and
    comprises all the issues no. 1. to 10:

    diff -Nur base_qry_alert.php.orig base_qry_alert.php >
    /tmp/base_qry_alert.php.diff

    Bye, bye

    Juergen

     
  • Kevin Johnson
    Kevin Johnson
    2006-08-06

    Logged In: YES
    user_id=836228

    This patch does not seem to apply correctly?

    Kevin

     
  • Logged In: YES
    user_id=1341286

    Hmmm, ok, same procedure once again:

    tar -xvzf base-1.2.6.tar.gz

    mv base-1.2.6/base_qry_alert.php
    base-1.2.6/base_qry_alert.php.orig

    diff -Nur base-1.2.6/base_qry_alert.php.orig
    /var/www/html/base-1.2.6/base_qry_alert.php >
    base_qry_alert.php.diff

    and now attaching it. This "base-1.2.6" is
    the release, it is NOT the CVS version.

    md5sum base_qry_alert.php.diff
    e63b070d3cb36437d28883d20d0ce1a2 base_qry_alert.php.diff

    Bye, bye

    Juergen

     
  • Kevin Johnson
    Kevin Johnson
    2006-09-01

    Logged In: YES
    user_id=836228

    ok I give up... I like the changes I see in your patch but I can't seem to get it to
    apply... user error I am sure... Could you just mail me your entire
    base_qry_alert.php file?

    Thanks
    Kevin

     
  • Kevin Johnson
    Kevin Johnson
    2006-09-01

    • status: open --> open-accepted
     
  • Logged In: YES
    user_id=1341286

    here it is: my current base_qry_alert.php.

    I have renamed it (to avoid confusion):

    mv base_qry_alert.php base_qry_alert.php_jl_02_Sep_2006

    Bye, bye,

    Juergen

     
  • Kevin Johnson
    Kevin Johnson
    2006-09-02

    • status: open-accepted --> closed-accepted