[Snort-devel] Output plugin like Unixsock for W32

Spacefox cagoule at ...1278...
Sat Apr 20 03:22:02 EDT 2002


This is great, and very useful, I was thinking to write it with SSL support
and over TCP, this would mean also to think of a way to avoid snort to
sniff this traffic (which would be output from this machine only) such as :
[Snort Machine]----- Snort infos encrypted in SSL---->[Admin Machine]

This would be in one way, (not to open a listening socket on the Snort
machine
for that which would be stupid). So we could specify an IP address and a
port
to send all the snorted info, the plugin would try to connect to this
machine+port
periodically, and if the connexion is accepted, to send snorted info till
the connexion
is closed. This plugin would not only send alerts, but notice when a new
connexion
with the machine happens or when a connexion is lost.

I would like to develop a remote monitoring console that would show active
connexion (like netstat) AND if they are sending any packet that matches
snort rules.


----- Original Message -----
From: "Dr. Richard W. Tibbs" <tewg at ...1280...>
To: "Spacefox" <cagoule at ...1278...>
Cc: <snort-devel at lists.sourceforge.net>
Sent: Friday, April 19, 2002 7:41 PM
Subject: Re: [Snort-devel] Output plugin like Unixsock for W32


> In fact, I began (and completed ) such a feature in snort 1.8.4 in  a
> Win2000 environement. Just did this locally to allow some snorting on my
> Win2K box. It works by using the  loopback Ip addr.  Pretty simple only
>  a few lines of code.
> I have meant to propose doing it in 1.9 to the devel list, but I noticed
> a lot of MS visual C++ project issues on the list, and was waiting for
> things to settle down. Looks like they have, and
> I would like to re-up on my offer.
>
> THere are a few design decisions for a general feature such as this.
> Here is an email I sent (off-list) a couple of weeks back. Maybe this
> can rekindle discussion:
>
> There are a few design decisions we should consider for 1.9.
> For example:
> 1) As Fyodor noted, we could offer the loopback socket (-A lbsock ?)
> feature independently of -A unsock. On *nix, both would work; on win2k
> only lbsock.  So we would need an extra -A parm recognized. That would
> be reasonably easy, but would take some more coding. Otherwise, as it
> currently stands -A unsock activates a true Unix socket
> (AF_UNIX,SOCK_DGRAM) on *nix platforms, or an AF_INET,SOCK_DGRAM socket
> on w2k. Might seem confusing, but documentation could certainly take
> care of clarifying it, if a new command line option is to be avoided.
>
> 2) In order to prevent snort from sniffing its own socket packets (when
> loopback routes to HOME_NET, or whatever iface snort is sniffing), there
>  needs to be a rule in snort.conf (or induced upon cmd option -A unsock)
> like:
> var LOOP_BACK 127.0.0.1
> var SOCK_PORT 46070      # same port as defined in snort.h
> pass udp $LOOP_BACK $SOCK_PORT -> $LOOP_BACK $SOCK_PORT
> ....
> Does such a rule create any IDS issues?
>
> AFN. >>RWT
>
> Spacefox wrote:
>
> >Hello !
> >
> >Does anyone knows if a plugin like unixsock has been coded in the
> >W32 environment ? I want to make a client/server application to get
> >snort informations with a remote host... This plugin would output
everything
> >(alerts, connexions, packets etc...).
> >
> >Thanks in advance.
> >
> >Spacefox
> >Pack X Crew
> >http://www.packx.net
> >
> >
> >
> >
>
>___________________________________________________________________________
___
> >ifrance.com, l'email gratuit le plus complet de l'Internet !
> >vos emails depuis un navigateur, en POP3, sur Minitel, sur le WAP...
> >http://www.ifrance.com/_reloc/email.emailif
> >
> >
> >
> >_______________________________________________
> >Snort-devel mailing list
> >Snort-devel at lists.sourceforge.net
> >https://lists.sourceforge.net/lists/listinfo/snort-devel
> >
>
>
>
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel


 
______________________________________________________________________________
ifrance.com, l'email gratuit le plus complet de l'Internet !
vos emails depuis un navigateur, en POP3, sur Minitel, sur le WAP...
http://www.ifrance.com/_reloc/email.emailif






More information about the Snort-devel mailing list