[Snort-devel] Re: (Need Input!!) Re: Output plugin like Unixsock for W32

Spacefox cagoule at ...1278...
Sun Apr 28 04:19:01 EDT 2002


Yes the use of a file-based socket for W32 would be perfect, I also
encountered some issues with MS VC++ Project, but there is no prob
to start the plug in now. For snort parameter, why to use 2 differents
-A ?
It would be cool to have something like -A socket 192.168.0.2 (for
example) this would trigger a remote connexion via unixsocket in *nix
and a winsock socket in W32 (this would be a better idea I think).
Not to be UDP (irrelevant for this task I think), and maybe over SSL...?

The traffic from the snorted host to this specific IP would
not be sniffed. I don't "think" this would present IDS issues...
Once again I agree that some input that subject would be nice, since to
be able monitor the output of an IDS that you don't have physical access
could be more than useful (this way I mean).

Spacefox
Pack X Crew
http://www.packx.net



> Yes, I am planning on continuing the socket feature for W32 in 1.9.x..
> But I am seeking input from the developer community on the issues I
> raised below.
> I think in winsock2 there is a file-based socket that W32 systems
> support, but I haven't tried it.
> Such a socket would obviate the need for use of the loopback IP address.
> So, I am interested in some discussion of this on the devel list first.
> In any case, I would be doing this in the next month approximately.
>
> Cheers! >>>>RWT
>
> Spacefox wrote:
>
> >Hey !
> >
> >Do you plan to continue your plugin ? I'm thinking to write one that
would
> >work also over SSL (to get alerts and their details on a remote host). If
> >snort is running on a machine I can't access physically, is there a way,
> >now,
> >to get informations on my machine ?
> >
> Yes, sockets are the best way to do this.
>
> >
> >
> >Thank you very much,
> >
> >Spacefox
> >Pack X Crew
> >http://www.packx.net
> >
> >----- Original Message -----
> >From: "Dr. Richard W. Tibbs" <tewg at ...1280...>
> >To: "Spacefox" <cagoule at ...1278...>
> >Cc: <snort-devel at lists.sourceforge.net>
> >Sent: Friday, April 19, 2002 7:41 PM
> >Subject: Re: [Snort-devel] Output plugin like Unixsock for W32
> >
> >
> >>In fact, I began (and completed ) such a feature in snort 1.8.4 in  a
> >>Win2000 environement. Just did this locally to allow some snorting on my
> >>Win2K box. It works by using the  loopback Ip addr.  Pretty simple only
> >> a few lines of code.
> >>I have meant to propose doing it in 1.9 to the devel list, but I noticed
> >>a lot of MS visual C++ project issues on the list, and was waiting for
> >>things to settle down. Looks like they have, and
> >>I would like to re-up on my offer.
> >>
> >>THere are a few design decisions for a general feature such as this.
> >>Here is an email I sent (off-list) a couple of weeks back. Maybe this
> >>can rekindle discussion:
> >>
> >>There are a few design decisions we should consider for 1.9.
> >>For example:
> >>1) As Fyodor noted, we could offer the loopback socket (-A lbsock ?)
> >>feature independently of -A unsock. On *nix, both would work; on win2k
> >>only lbsock.  So we would need an extra -A parm recognized. That would
> >>be reasonably easy, but would take some more coding. Otherwise, as it
> >>currently stands -A unsock activates a true Unix socket
> >>(AF_UNIX,SOCK_DGRAM) on *nix platforms, or an AF_INET,SOCK_DGRAM socket
> >>on w2k. Might seem confusing, but documentation could certainly take
> >>care of clarifying it, if a new command line option is to be avoided.
> >>
> >>2) In order to prevent snort from sniffing its own socket packets (when
> >>loopback routes to HOME_NET, or whatever iface snort is sniffing), there
> >> needs to be a rule in snort.conf (or induced upon cmd option -A unsock)
> >>like:
> >>var LOOP_BACK 127.0.0.1
> >>var SOCK_PORT 46070      # same port as defined in snort.h
> >>pass udp $LOOP_BACK $SOCK_PORT -> $LOOP_BACK $SOCK_PORT
> >>....
> >>Does such a rule create any IDS issues?
> >>
> >>AFN. >>RWT
> >>
> >>Spacefox wrote:
> >>
> >>>Hello !
> >>>
> >>>Does anyone knows if a plugin like unixsock has been coded in the
> >>>W32 environment ? I want to make a client/server application to get
> >>>snort informations with a remote host... This plugin would output
> >>>
> >everything
> >
> >>>(alerts, connexions, packets etc...).
> >>>
> >>>Thanks in advance.
> >>>
> >>>Spacefox
> >>>Pack X Crew
> >>>http://www.packx.net
> >>>
> >>>
> >>>
> >>>
>
>>__________________________________________________________________________
_
> >>
> >___
> >
> >>>ifrance.com, l'email gratuit le plus complet de l'Internet !
> >>>vos emails depuis un navigateur, en POP3, sur Minitel, sur le WAP...
> >>>http://www.ifrance.com/_reloc/email.emailif
> >>>
> >>>
> >>>
> >>>_______________________________________________
> >>>Snort-devel mailing list
> >>>Snort-devel at lists.sourceforge.net
> >>>https://lists.sourceforge.net/lists/listinfo/snort-devel
> >>>
> >>
> >>
> >>_______________________________________________
> >>Snort-devel mailing list
> >>Snort-devel at lists.sourceforge.net
> >>https://lists.sourceforge.net/lists/listinfo/snort-devel
> >>
> >
> >
>
>___________________________________________________________________________
___
> >ifrance.com, l'email gratuit le plus complet de l'Internet !
> >vos emails depuis un navigateur, en POP3, sur Minitel, sur le WAP...
> >http://www.ifrance.com/_reloc/email.emailif
> >
> >
>
>


 
______________________________________________________________________________
ifrance.com, l'email gratuit le plus complet de l'Internet !
vos emails depuis un navigateur, en POP3, sur Minitel, sur le WAP...
http://www.ifrance.com/_reloc/email.emailif






More information about the Snort-devel mailing list