[Snort-devel] Output plugin like Unixsock for W32

Spacefox cagoule at ...1278...
Sat Apr 20 03:22:02 EDT 2002

This is great, and very useful, I was thinking to write it with SSL support
and over TCP, this would mean also to think of a way to avoid snort to
sniff this traffic (which would be output from this machine only) such as :
[Snort Machine]----- Snort infos encrypted in SSL---->[Admin Machine]

This would be in one way, (not to open a listening socket on the Snort
for that which would be stupid). So we could specify an IP address and a
to send all the snorted info, the plugin would try to connect to this
periodically, and if the connexion is accepted, to send snorted info till
the connexion
is closed. This plugin would not only send alerts, but notice when a new
with the machine happens or when a connexion is lost.

I would like to develop a remote monitoring console that would show active
connexion (like netstat) AND if they are sending any packet that matches
snort rules.

----- Original Message -----
From: "Dr. Richard W. Tibbs" <tewg at ...1280...>
To: "Spacefox" <cagoule at ...1278...>
Cc: <snort-devel at lists.sourceforge.net>
Sent: Friday, April 19, 2002 7:41 PM
Subject: Re: [Snort-devel] Output plugin like Unixsock for W32

> In fact, I began (and completed ) such a feature in snort 1.8.4 in  a
> Win2000 environement. Just did this locally to allow some snorting on my
> Win2K box. It works by using the  loopback Ip addr.  Pretty simple only
>  a few lines of code.
> I have meant to propose doing it in 1.9 to the devel list, but I noticed
> a lot of MS visual C++ project issues on the list, and was waiting for
> things to settle down. Looks like they have, and
> I would like to re-up on my offer.
> THere are a few design decisions for a general feature such as this.
> Here is an email I sent (off-list) a couple of weeks back. Maybe this
> can rekindle discussion:
> There are a few design decisions we should consider for 1.9.
> For example:
> 1) As Fyodor noted, we could offer the loopback socket (-A lbsock ?)
> feature independently of -A unsock. On *nix, both would work; on win2k
> only lbsock.  So we would need an extra -A parm recognized. That would
> be reasonably easy, but would take some more coding. Otherwise, as it
> currently stands -A unsock activates a true Unix socket
> (AF_UNIX,SOCK_DGRAM) on *nix platforms, or an AF_INET,SOCK_DGRAM socket
> on w2k. Might seem confusing, but documentation could certainly take
> care of clarifying it, if a new command line option is to be avoided.
> 2) In order to prevent snort from sniffing its own socket packets (when
> loopback routes to HOME_NET, or whatever iface snort is sniffing), there
>  needs to be a rule in snort.conf (or induced upon cmd option -A unsock)
> like:
> var SOCK_PORT 46070      # same port as defined in snort.h
> ....
> Does such a rule create any IDS issues?
> AFN. >>RWT
> Spacefox wrote:
> >Hello !
> >
> >Does anyone knows if a plugin like unixsock has been coded in the
> >W32 environment ? I want to make a client/server application to get
> >snort informations with a remote host... This plugin would output
> >(alerts, connexions, packets etc...).
> >
> >Thanks in advance.
> >
> >Spacefox
> >Pack X Crew
> >http://www.packx.net
> >
> >
> >
> >
> >ifrance.com, l'email gratuit le plus complet de l'Internet !
> >vos emails depuis un navigateur, en POP3, sur Minitel, sur le WAP...
> >http://www.ifrance.com/_reloc/email.emailif
> >
> >
> >
> >_______________________________________________
> >Snort-devel mailing list
> >Snort-devel at lists.sourceforge.net
> >https://lists.sourceforge.net/lists/listinfo/snort-devel
> >
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel

ifrance.com, l'email gratuit le plus complet de l'Internet !
vos emails depuis un navigateur, en POP3, sur Minitel, sur le WAP...

More information about the Snort-devel mailing list