This fixed snort + barnyard on my AMD64 machine. Sorry this report is so late! ddp
On 11/7/06, nikns <[EMAIL PROTECTED]> wrote:
This diff fixes unified logging/alerting on 64-bit platforms. http://secure.lv/~nikns/stuff/ports/snort-2.6.0.2p1.diff Index: snort/Makefile =================================================================== RCS file: /cvs/ports/net/snort/Makefile,v retrieving revision 1.49 diff -u -r1.49 Makefile --- snort/Makefile 14 Oct 2006 09:54:04 -0000 1.49 +++ snort/Makefile 7 Nov 2006 18:35:32 -0000 @@ -3,7 +3,7 @@ COMMENT= "highly flexible sniffer/NIDS" DISTNAME= snort-2.6.0.2 -PKGNAME= ${DISTNAME}p0 +PKGNAME= ${DISTNAME}p1 CATEGORIES= net security MASTER_SITES= ${HOMEPAGE}/dl/current/ Index: snort/patches/patch-src_event_h =================================================================== RCS file: snort/patches/patch-src_event_h diff -N snort/patches/patch-src_event_h --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ snort/patches/patch-src_event_h 7 Nov 2006 18:35:32 -0000 @@ -0,0 +1,21 @@ +$OpenBSD$ +--- src/event.h.orig Tue Aug 23 18:52:22 2005 ++++ src/event.h Tue Nov 7 20:28:12 2006 +@@ -34,6 +34,8 @@ + #include <sys/time.h> + #endif + ++#include "snort_packet_header.h" ++ + typedef struct _Event + { + u_int32_t sig_generator; /* which part of snort generated the alert? */ +@@ -45,7 +47,7 @@ typedef struct _Event + u_int32_t event_reference; /* reference to other events that have gone off, + * such as in the case of tagged packets... + */ +- struct timeval ref_time; /* reference time for the event reference */ ++ struct pcap_timeval ref_time; /* reference time for the event reference */ + + /* Don't add to this structure because this is the serialized data + * struct for unified logging. Index: snort/patches/patch-src_output-plugins_spo_unified_c =================================================================== RCS file: snort/patches/patch-src_output-plugins_spo_unified_c diff -N snort/patches/patch-src_output-plugins_spo_unified_c --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ snort/patches/patch-src_output-plugins_spo_unified_c 7 Nov 2006 18:35:32 -0000 @@ -0,0 +1,38 @@ +$OpenBSD$ +--- src/output-plugins/spo_unified.c.orig Fri May 12 20:19:56 2006 ++++ src/output-plugins/spo_unified.c Tue Nov 7 20:28:12 2006 +@@ -126,7 +126,7 @@ typedef struct _UnifiedLog + typedef struct _UnifiedAlert + { + Event event; +- struct timeval ts; /* event timestamp */ ++ struct pcap_timeval ts; /* event timestamp */ + u_int32_t sip; /* src ip */ + u_int32_t dip; /* dest ip */ + u_int16_t sp; /* src port */ +@@ -551,7 +551,11 @@ void RealUnifiedLogPacketAlert(Packet *p + * this will have to be fixed when we transition to the pa_engine + * code (p->pkth is libpcap specific) + */ +- memcpy(&logheader.pkth, p->pkth, sizeof(SnortPktHeader)); ++ logheader.pkth.ts.tv_sec = p->pkth->ts.tv_sec; ++ logheader.pkth.ts.tv_usec = p->pkth->ts.tv_usec; ++ logheader.pkth.caplen = p->pkth->caplen; ++ logheader.pkth.pktlen = p->pkth->len; ++ + } + else + { +@@ -1260,7 +1264,11 @@ void OldUnifiedLogPacketAlert(Packet *p, + { + logheader.flags = p->packet_flags; + +- memcpy(&logheader.pkth, p->pkth, sizeof(SnortPktHeader)); ++ logheader.pkth.ts.tv_sec = p->pkth->ts.tv_sec; ++ logheader.pkth.ts.tv_usec = p->pkth->ts.tv_usec; ++ logheader.pkth.caplen = p->pkth->caplen; ++ logheader.pkth.pktlen = p->pkth->len; ++ + + #ifdef GIDS + /* Index: snort/patches/patch-src_snort_packet_header_h =================================================================== RCS file: snort/patches/patch-src_snort_packet_header_h diff -N snort/patches/patch-src_snort_packet_header_h --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ snort/patches/patch-src_snort_packet_header_h 7 Nov 2006 18:35:32 -0000 @@ -0,0 +1,25 @@ +$OpenBSD$ +--- src/snort_packet_header.h.orig Thu Jan 19 19:09:12 2006 ++++ src/snort_packet_header.h Tue Nov 7 20:28:12 2006 +@@ -16,12 +16,20 @@ + #include <sys/types.h> + + ++/* we must use fixed size of 32 bits, because on-disk ++ * format of savefiles uses 32-bit tv_sec (and tv_usec) ++ */ ++struct pcap_timeval { ++ u_int32_t tv_sec; /* seconds */ ++ u_int32_t tv_usec; /* microseconds */ ++}; ++ + /* this is equivalent to the pcap pkthdr struct, but we need one for + * portability once we introduce the pa_engine code + */ + typedef struct _SnortPktHeader + { +- struct timeval ts; /* packet timestamp */ ++ struct pcap_timeval ts;/* packet timestamp */ + u_int32_t caplen; /* packet capture length */ + u_int32_t pktlen; /* packet "real" length */ + } SnortPktHeader;
