[Snortsam-discussion] some small ssp_pf2 enhancements

Olli Hauer ohauer at gmx.de
Fri Oct 9 13:10:04 EDT 2009 

>> I made some changes in ssp_pf2.c, so tables in the main pf section
>> can be used. This can be activated with  the keyword anchor=notused
>> in snortsam.conf.
> [...]
>> I guess no one is using OpenBSD < 4.x these days so it will be save to
>> remove ssp_pf.c and ssp_pf.h

> Earlier this year I used ssp_pf and hacked that in shape to get it to
> work on FBSD 7.2 since the ssp_pf2 didn't work for me. I think the old
> method should indeed be abandoned and the newer version used. I just
> wasn't able to figure out why ssp_pf2 didn't work, so I made ssp_pf
> work. If ssp_pf2 works for everyone, I'll leave it as it is and add your
> changes. 

Do you remember some details?
 - installed from soure/port ...
 - pf load as module or build in kernel
 - tables not working
 ...

Maybe I can find out why it has not worked.


>> One thing that maybe documented is the strange thing to add an '_'
>> to the table names and the defaults are block(in|out).
>
> Not sure what you mean. Could you elaborate?

I will try to explain.

given someone configures the following line in snortsam.conf
1) pf2 log=0

this will result at the moment into this default values
- anchor=snortsam, tables=blockin,blockout

Now lets say the user configures the following line
2) pf2 table=block log=0

this will result in
- anchor=snortsam, tables=block_in,block_out

I think this is not expected, since it should result in the same as config 1)
See the following lines from ssp_pf2.c.

-	    snprintf(tbuf, PF_TABLE_NAME_SIZE, "%s_in", 
-	    snprintf(tbuf, PF_TABLE_NAME_SIZE, "%s_out", 

+	    snprintf(tbuf, PF_TABLE_NAME_SIZE, "%sin", 
+	    snprintf(tbuf, PF_TABLE_NAME_SIZE, "%sout", 


There is another issue if only the keyword 'pf2' and no paramters given snortsam crashes hard instead to use default values.

After reading the list archives I found a request from you how to sort out OpenBSD/FreeBSD/NetBSD version for makefiles.
For FreeBSD there is a solution, I will ask at the OpenBSD dev list if there is something equal.
http://www.freebsd.org/doc/en_US.ISO8859-1/books/porters-handbook/freebsd-versions.html

New diff for ssp_pf2.c to honor the default value problem, and additional ignore anchor with the keyword
anchor=none|notused.

I will write an additional README.pf2, but first I want to add some syslog code which works on all *BSD's

Regards,
olli

Index: ssp_pf2.c
===================================================================
RCS file: /cvsroot/snortsam/snortsam/src/ssp_pf2.c,v
retrieving revision 3.1
diff -u -r3.1 ssp_pf2.c
--- ssp_pf2.c   14 Apr 2009 18:50:45 -0000      3.1
+++ ssp_pf2.c   9 Oct 2009 09:50:32 -0000
@@ -47,6 +47,7 @@
 #include "snortsam.h"
 #include "ssp_pf2.h"

+unsigned int use_anchor = TRUE;

 /* Routine for opt parsing ( opt=value opt2=value2 etc. ) */
 int parse_opts(char *line, opt_pf2 *opt, char *sep, char *int_sep, int nopt)
@@ -138,6 +139,10 @@
        else
          {
             safecopy(pfp->anchorname, options[PF2_OPT_ANCHOR].v.value_s);      /* save anchorname */
+            /* if use_anchor = FALSE then tables from the main pf section will be used */
+            if ((strncmp(options[PF2_OPT_ANCHOR].v.value_s, "notused", MAX_OPT_VALUE)==0) ||
+               (strncmp(options[PF2_OPT_ANCHOR].v.value_s, "none", MAX_OPT_VALUE)==0))
+                use_anchor = FALSE;
          }

        /* Check Table */
@@ -153,10 +158,10 @@
        else
          {
            /* save tablenames */
-           snprintf(tbuf, PF_TABLE_NAME_SIZE, "%s_in",
+           snprintf(tbuf, PF_TABLE_NAME_SIZE, "%sin",
                     options[PF2_OPT_TABLE].v.value_s);
            safecopy(pfp->tablein,  tbuf);
-           snprintf(tbuf, PF_TABLE_NAME_SIZE, "%s_out",
+           snprintf(tbuf, PF_TABLE_NAME_SIZE, "%sout",
                     options[PF2_OPT_TABLE].v.value_s);
            safecopy(pfp->tableout, tbuf);
          }
@@ -258,7 +263,10 @@

        bzero(&io, sizeof(io));
        strlcpy(io.pfrio_table.pfrt_name, table, sizeof(io.pfrio_table.pfrt_name));
-       strlcpy(io.pfrio_table.pfrt_anchor, anchor, sizeof(io.pfrio_table.pfrt_anchor));
+
+       if (use_anchor == TRUE)
+               strlcpy(io.pfrio_table.pfrt_anchor, anchor,
+                       sizeof(io.pfrio_table.pfrt_anchor));
        io.pfrio_buffer = &addr;
        io.pfrio_esize = sizeof(addr);
        io.pfrio_size = 1;
@@ -287,6 +295,10 @@
                 logmessage(3, msg, "pf2", 0);
                return (-1);
        }
+#ifdef FWSAMDEBUG
+       printf("[DEBUG] %s %s %s anchor=%s table=%s\n",
+               add ? "add" : "remove", ipsrc, add ? "to" : "from", anchor, table);
+#endif
        return (0);
 }

-- 
Neu: GMX DSL bis 50.000 kBit/s und 200,- Euro Startguthaben!
http://portal.gmx.net/de/go/dsl02

More information about the Snortsam-discussion mailing list