sorry for bothering again about IP fragments.
The fragment fields are still not correct.
There are three issues:
1. myrow2 does NOT contain any information
about which flags are set or not set.
It just reflects whether or not a particular
packet is fragmented.
Cf. snort-2.6.1/src/output-plugins/spo_database.c:1609 and 1621
if(p->frag_offset || p->mf)
/* set the packet fragment flag */
p->frag_flag = 1;
The flags can neither be gained out of
ip_flags nor ip_off nor
out of any other field of the current
database schema (107).
p->frag_offset &= 0x1FFF
2. myrow2 is provided by snort with data
that have a byteorder issue: The value is
still in network byteorder, as the value
has undergone ntohs() twice, rather than
just once, as it should have. This can
be fixed by base.
3. myrow2 is a value in units of 8 octets
(= 64 bits). In order to achieve results
that are consistent with what is usual
under tcpdump or ethereal, base
should convert the result to a value
in units of bytes rather than 8 octets.
Cf. RFC 791, 3.1 (= p. 14):
"The fragment offset is measured in units of 8 octets (64 bits)."
I attach the following patch (against base-1.2.7):
diff -Nurp base_qry_alert.php.orig base_qry_alert.php >