[Snort-devel] (Need Input!!) Re: Output plugin like Unixsock for W32
Dr. Richard W. Tibbs
tewg at ...1280...
Fri Apr 26 11:51:05 EDT 2002
Yes, I am planning on continuing the socket feature for W32 in 1.9.x..
But I am seeking input from the developer community on the issues I
I think in winsock2 there is a file-based socket that W32 systems
support, but I haven't tried it.
Such a socket would obviate the need for use of the loopback IP address.
So, I am interested in some discussion of this on the devel list first.
In any case, I would be doing this in the next month approximately.
>Do you plan to continue your plugin ? I'm thinking to write one that would
>work also over SSL (to get alerts and their details on a remote host). If
>snort is running on a machine I can't access physically, is there a way,
>to get informations on my machine ?
Yes, sockets are the best way to do this.
>Thank you very much,
>Pack X Crew
>----- Original Message -----
>From: "Dr. Richard W. Tibbs" <tewg at ...1280...>
>To: "Spacefox" <cagoule at ...1278...>
>Cc: <snort-devel at lists.sourceforge.net>
>Sent: Friday, April 19, 2002 7:41 PM
>Subject: Re: [Snort-devel] Output plugin like Unixsock for W32
>>In fact, I began (and completed ) such a feature in snort 1.8.4 in a
>>Win2000 environement. Just did this locally to allow some snorting on my
>>Win2K box. It works by using the loopback Ip addr. Pretty simple only
>> a few lines of code.
>>I have meant to propose doing it in 1.9 to the devel list, but I noticed
>>a lot of MS visual C++ project issues on the list, and was waiting for
>>things to settle down. Looks like they have, and
>>I would like to re-up on my offer.
>>THere are a few design decisions for a general feature such as this.
>>Here is an email I sent (off-list) a couple of weeks back. Maybe this
>>can rekindle discussion:
>>There are a few design decisions we should consider for 1.9.
>>1) As Fyodor noted, we could offer the loopback socket (-A lbsock ?)
>>feature independently of -A unsock. On *nix, both would work; on win2k
>>only lbsock. So we would need an extra -A parm recognized. That would
>>be reasonably easy, but would take some more coding. Otherwise, as it
>>currently stands -A unsock activates a true Unix socket
>>(AF_UNIX,SOCK_DGRAM) on *nix platforms, or an AF_INET,SOCK_DGRAM socket
>>on w2k. Might seem confusing, but documentation could certainly take
>>care of clarifying it, if a new command line option is to be avoided.
>>2) In order to prevent snort from sniffing its own socket packets (when
>>loopback routes to HOME_NET, or whatever iface snort is sniffing), there
>> needs to be a rule in snort.conf (or induced upon cmd option -A unsock)
>>var LOOP_BACK 127.0.0.1
>>var SOCK_PORT 46070 # same port as defined in snort.h
>>pass udp $LOOP_BACK $SOCK_PORT -> $LOOP_BACK $SOCK_PORT
>>Does such a rule create any IDS issues?
>>>Does anyone knows if a plugin like unixsock has been coded in the
>>>W32 environment ? I want to make a client/server application to get
>>>snort informations with a remote host... This plugin would output
>>>(alerts, connexions, packets etc...).
>>>Thanks in advance.
>>>Pack X Crew
>>>ifrance.com, l'email gratuit le plus complet de l'Internet !
>>>vos emails depuis un navigateur, en POP3, sur Minitel, sur le WAP...
>>>Snort-devel mailing list
>>>Snort-devel at lists.sourceforge.net
>>Snort-devel mailing list
>>Snort-devel at lists.sourceforge.net
>ifrance.com, l'email gratuit le plus complet de l'Internet !
>vos emails depuis un navigateur, en POP3, sur Minitel, sur le WAP...
More information about the Snort-devel