OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Re: [strange work around] Re: snort alert timestamps are close to

From: Soner Tari (listkulustur.org)
Date: Sun Apr 08 2007 - 09:18:13 CDT


I believe the following type cast to u_int32_t may be considered as a
correct fix for the problem (this fixes my problem at least, and does
not look dumb):

s = (u_int32_t)(tvp->tv_sec + localzone) % 86400;

Because:

I've read the posts here (and private messages too), and all of them
point to a similar issue: timeval struct on amd64 is 64-bit, and the
type casts from pcap_timeval (which is 32-bit) to timeval in ts_print()
calls may be the problem, thus the usages must be made consistent
(thanks for those comments).

To test if consistent use of time structs could fix the problem, I
temporarily changed the definition of pcap_timeval to all "long"'s (i.e.
exactly the same struct as timeval itself, so that type casts would not
pose any problems):

struct pcap_timeval {
    long tv_sec; /* seconds */
    long tv_usec; /* microseconds */
};

Well, the problem persists (I couldn't see any difference at all). Also,
to be exact, I should mention that I failed to change the type casts in
ts_print() calls, because the compiler complains, and I didn't want to
spend more time on it (but if I am wrong about my conclusions in this
post, I should try that further). Furthermore, I defined long temp
variables within ts_print() and used them as arguments to modulo,
without success.

Otherwise, looking at the output of debug printf()'s I inserted, the
value of tvp->tv_sec within ts_print() seems intact, despite the casts.

Therefore, I've concluded that the issue is specifically on the line I
was expanding with the temp variable. My guess is that the problem is
related with the modulo operator on that line, and the compiler should
be specifically instructed about the type of the argument on the left,
thus my final fix above. I believe that's all we need.

I would appreciate any comments.