Modify the output of snort's socket mode

Found that snort can apply both fast and unsock modes. -A fast -A unsock However, some functions are learned after the fast unsock ######### process.

*Structure in_addr is used to represent a 32-bit IPv4 address.

extern void *memcpy(void *destin, void *source, unsigned n); ###point to address by source The data of consecutive n bytes of the start address is copied into the space starting from the destination address of destin. (baidu)

public: int SendTo( SOCKET s; unsigned char buffer __gc[], int size, SocketFlags socketFlags, sockaddr FAR *addr int len ​​); Return value: The length of the actual data sent. Parameter : s socket buff buffer size of the data to be sent size buffer length Flags call mode flag, usually 0, change Flags, will change the form addr (optional) pointer sent by Sendto, point to the destination socket The length of the address pointed to by the address len addr

size_t fwrite(const void*buffer,size_t size,size_t count,FILE*stream); Note: This function operates on the file in binary form, not limited to text files. Return value: Returns the number of data blocks actually written. (1) buffer: is a pointer. For fwrite, it is the address of the data to be output. (2) size: the number of single bytes to be written to the content; (3) count: the number of data items to be written to the size byte; (4) stream: the target file pointer.

1. Void *memset(void *s, int c,size_t n) The total effect: set the value of the first n bytes of the opened memory space s to the value c. Set the contents of each byte in a block of memory pointed to by s to the ASCII value specified by ch. The size of the block is specified by the third parameter. This function usually initializes the newly applied memory, and its return value. Is a pointer to S.

#p>############################################################################################# Output

find this structure is to find the LogIpAddrs function through the symbol between -> ip, output ip-> ip.

printf("!!!!!!!!!!!!!%s:%d\ ", inet_ntoax(GET_SRC_ADDR(p)), p->sp); can be output The ip and port

in the structure p are: x->ip4_header->source and x->iph->ip_src in the packet structure to store the original ip address.

Shun vine finds: inet_ntoax(GET_SRC_ADDR(p)), p->sp ########output ip and port. (It is suspected that inet_ntoax is a variant of inet_ntoa, implemented in the header file of snort)

Linux: Function declaration: char *inet_ntoa (struct in_addr); Returns the dotted decimal string in static memory pointer.

printf("@@@@@@@@@@@@ss%d\ ", inet_ntoax(GET_SRC_ADDR(p)), p->sp); ## can IP and port output in p.

Find if pkt has ip. . Etc.

(2) Timestamp LogTimeStamp(data->log, p); implemented here. The same is simple.

Create the structure of Alertpkt_txt and load the msg ip timestamp port. Use the socket to pass the structure, the purpose is achieved.