[Snort-devel] (Need Input!!) Re: Output plugin like Unixsock for W32

Dr. Richard W. Tibbs tewg at ...1280...
Fri Apr 26 11:51:05 EDT 2002


Yes, I am planning on continuing the socket feature for W32 in 1.9.x..
But I am seeking input from the developer community on the issues I 
raised below.
I think in winsock2 there is a file-based socket that W32 systems 
support, but I haven't tried it.
Such a socket would obviate the need for use of the loopback IP address.
So, I am interested in some discussion of this on the devel list first.
In any case, I would be doing this in the next month approximately.

Cheers! >>>>RWT

Spacefox wrote:

>Hey !
>
>Do you plan to continue your plugin ? I'm thinking to write one that would
>work also over SSL (to get alerts and their details on a remote host). If
>snort is running on a machine I can't access physically, is there a way,
>now,
>to get informations on my machine ?
>
Yes, sockets are the best way to do this.

>
>
>Thank you very much,
>
>Spacefox
>Pack X Crew
>http://www.packx.net
>
>----- Original Message -----
>From: "Dr. Richard W. Tibbs" <tewg at ...1280...>
>To: "Spacefox" <cagoule at ...1278...>
>Cc: <snort-devel at lists.sourceforge.net>
>Sent: Friday, April 19, 2002 7:41 PM
>Subject: Re: [Snort-devel] Output plugin like Unixsock for W32
>
>
>>In fact, I began (and completed ) such a feature in snort 1.8.4 in  a
>>Win2000 environement. Just did this locally to allow some snorting on my
>>Win2K box. It works by using the  loopback Ip addr.  Pretty simple only
>> a few lines of code.
>>I have meant to propose doing it in 1.9 to the devel list, but I noticed
>>a lot of MS visual C++ project issues on the list, and was waiting for
>>things to settle down. Looks like they have, and
>>I would like to re-up on my offer.
>>
>>THere are a few design decisions for a general feature such as this.
>>Here is an email I sent (off-list) a couple of weeks back. Maybe this
>>can rekindle discussion:
>>
>>There are a few design decisions we should consider for 1.9.
>>For example:
>>1) As Fyodor noted, we could offer the loopback socket (-A lbsock ?)
>>feature independently of -A unsock. On *nix, both would work; on win2k
>>only lbsock.  So we would need an extra -A parm recognized. That would
>>be reasonably easy, but would take some more coding. Otherwise, as it
>>currently stands -A unsock activates a true Unix socket
>>(AF_UNIX,SOCK_DGRAM) on *nix platforms, or an AF_INET,SOCK_DGRAM socket
>>on w2k. Might seem confusing, but documentation could certainly take
>>care of clarifying it, if a new command line option is to be avoided.
>>
>>2) In order to prevent snort from sniffing its own socket packets (when
>>loopback routes to HOME_NET, or whatever iface snort is sniffing), there
>> needs to be a rule in snort.conf (or induced upon cmd option -A unsock)
>>like:
>>var LOOP_BACK 127.0.0.1
>>var SOCK_PORT 46070      # same port as defined in snort.h
>>pass udp $LOOP_BACK $SOCK_PORT -> $LOOP_BACK $SOCK_PORT
>>....
>>Does such a rule create any IDS issues?
>>
>>AFN. >>RWT
>>
>>Spacefox wrote:
>>
>>>Hello !
>>>
>>>Does anyone knows if a plugin like unixsock has been coded in the
>>>W32 environment ? I want to make a client/server application to get
>>>snort informations with a remote host... This plugin would output
>>>
>everything
>
>>>(alerts, connexions, packets etc...).
>>>
>>>Thanks in advance.
>>>
>>>Spacefox
>>>Pack X Crew
>>>http://www.packx.net
>>>
>>>
>>>
>>>
>>___________________________________________________________________________
>>
>___
>
>>>ifrance.com, l'email gratuit le plus complet de l'Internet !
>>>vos emails depuis un navigateur, en POP3, sur Minitel, sur le WAP...
>>>http://www.ifrance.com/_reloc/email.emailif
>>>
>>>
>>>
>>>_______________________________________________
>>>Snort-devel mailing list
>>>Snort-devel at lists.sourceforge.net
>>>https://lists.sourceforge.net/lists/listinfo/snort-devel
>>>
>>
>>
>>_______________________________________________
>>Snort-devel mailing list
>>Snort-devel at lists.sourceforge.net
>>https://lists.sourceforge.net/lists/listinfo/snort-devel
>>
>
> 
>______________________________________________________________________________
>ifrance.com, l'email gratuit le plus complet de l'Internet !
>vos emails depuis un navigateur, en POP3, sur Minitel, sur le WAP...
>http://www.ifrance.com/_reloc/email.emailif
>
>






More information about the Snort-devel mailing list