[Snort-devel] Re: (Need Input!!) Re: Output plugin like Unixsock for W32

Dr. Richard W. Tibbs tewg at ...1280...
Mon Apr 29 09:02:12 EDT 2002


Thanks for the input!

Spacefox wrote:

>Yes the use of a file-based socket for W32 would be perfect, I also
>encountered some issues with MS VC++ Project, but there is no prob
>to start the plug in now. For snort parameter, why to use 2 differents
>-A ?
>
Yes, a single socket option would be possible.

>
>It would be cool to have something like -A socket 192.168.0.2 (for
>
But, to use IP address is counter to the idea of using a file handle for 
the socket. Given unpredictable  changes to network topologies, what is 
to prevent 192.168.0.2 being suddenly routed through the interface that 
snort is sniffing?  
I know, usually an internal IP won't ever be routed through the 
firewall, but if we allow arbitrary IP addresses, then snort can be 
sniffing its own socket alert traffic.  Hmmmm.......  seems to require 
an extra rule
"pass <local_IP_addr> any -> <socket_IP_addr> any"
which is what I think we should avoid.  

>
>example) this would trigger a remote connexion via unixsocket in *nix
>and a winsock socket in W32 (this would be a better idea I think).
>Not to be UDP (irrelevant for this task I think), and maybe over SSL...?
>
Why not UDP?  The code is simpler than a TCP bytestream, and alerts are 
a lot like telemetry. I have had no problem with DGRAM style service.
It seems to me unlikely that such sockets would be used over large 
distances with unreliable links.
The typical usage of the socket would be interprocess communication with 
other programs located behind the firewall, would it not?  

Also, the current unix socket is a SOCK_DGRAM mode socket, so backward 
compatibility would be preserved.

>
>
>The traffic from the snorted host to this specific IP would
>not be sniffed. I don't "think" this would present IDS issues...
>Once again I agree that some input that subject would be nice, since to
>be able monitor the output of an IDS that you don't have physical access
>could be more than useful (this way I mean).
>
>Spacefox
>Pack X Crew
>http://www.packx.net
>
>
>
>>Yes, I am planning on continuing the socket feature for W32 in 1.9.x..
>>But I am seeking input from the developer community on the issues I
>>raised below.
>>I think in winsock2 there is a file-based socket that W32 systems
>>support, but I haven't tried it.
>>Such a socket would obviate the need for use of the loopback IP address.
>>So, I am interested in some discussion of this on the devel list first.
>>In any case, I would be doing this in the next month approximately.
>>
>>Cheers! >>>>RWT
>>
>>Spacefox wrote:
>>
>>>Hey !
>>>
>>>Do you plan to continue your plugin ? I'm thinking to write one that
>>>
>would
>
>>>work also over SSL (to get alerts and their details on a remote host). If
>>>snort is running on a machine I can't access physically, is there a way,
>>>now,
>>>to get informations on my machine ?
>>>
>>Yes, sockets are the best way to do this.
>>
>>>
>>>Thank you very much,
>>>
>>>Spacefox
>>>Pack X Crew
>>>http://www.packx.net
>>>
>>>----- Original Message -----
>>>From: "Dr. Richard W. Tibbs" <tewg at ...1280...>
>>>To: "Spacefox" <cagoule at ...1278...>
>>>Cc: <snort-devel at lists.sourceforge.net>
>>>Sent: Friday, April 19, 2002 7:41 PM
>>>Subject: Re: [Snort-devel] Output plugin like Unixsock for W32
>>>
>>>
>>>>In fact, I began (and completed ) such a feature in snort 1.8.4 in  a
>>>>Win2000 environement. Just did this locally to allow some snorting on my
>>>>Win2K box. It works by using the  loopback Ip addr.  Pretty simple only
>>>>a few lines of code.
>>>>I have meant to propose doing it in 1.9 to the devel list, but I noticed
>>>>a lot of MS visual C++ project issues on the list, and was waiting for
>>>>things to settle down. Looks like they have, and
>>>>I would like to re-up on my offer.
>>>>
>>>>THere are a few design decisions for a general feature such as this.
>>>>Here is an email I sent (off-list) a couple of weeks back. Maybe this
>>>>can rekindle discussion:
>>>>
>>>>There are a few design decisions we should consider for 1.9.
>>>>For example:
>>>>1) As Fyodor noted, we could offer the loopback socket (-A lbsock ?)
>>>>feature independently of -A unsock. On *nix, both would work; on win2k
>>>>only lbsock.  So we would need an extra -A parm recognized. That would
>>>>be reasonably easy, but would take some more coding. Otherwise, as it
>>>>currently stands -A unsock activates a true Unix socket
>>>>(AF_UNIX,SOCK_DGRAM) on *nix platforms, or an AF_INET,SOCK_DGRAM socket
>>>>on w2k. Might seem confusing, but documentation could certainly take
>>>>care of clarifying it, if a new command line option is to be avoided.
>>>>
>>>>2) In order to prevent snort from sniffing its own socket packets (when
>>>>loopback routes to HOME_NET, or whatever iface snort is sniffing), there
>>>>needs to be a rule in snort.conf (or induced upon cmd option -A unsock)
>>>>like:
>>>>var LOOP_BACK 127.0.0.1
>>>>var SOCK_PORT 46070      # same port as defined in snort.h
>>>>pass udp $LOOP_BACK $SOCK_PORT -> $LOOP_BACK $SOCK_PORT
>>>>....
>>>>Does such a rule create any IDS issues?
>>>>
>>>>AFN. >>RWT
>>>>
>>>>Spacefox wrote:
>>>>
>>>>>Hello !
>>>>>
>>>>>Does anyone knows if a plugin like unixsock has been coded in the
>>>>>W32 environment ? I want to make a client/server application to get
>>>>>snort informations with a remote host... This plugin would output
>>>>>
>>>everything
>>>
>>>>>(alerts, connexions, packets etc...).
>>>>>
>>>>>Thanks in advance.
>>>>>
>>>>>Spacefox
>>>>>Pack X Crew
>>>>>http://www.packx.net
>>>>>
>>>>>
>>>>>
>>>>>
>>>__________________________________________________________________________
>>>
>_
>
>>>___
>>>
>>>>>ifrance.com, l'email gratuit le plus complet de l'Internet !
>>>>>vos emails depuis un navigateur, en POP3, sur Minitel, sur le WAP...
>>>>>http://www.ifrance.com/_reloc/email.emailif
>>>>>
>>>>>
>>>>>
>>>>>_______________________________________________
>>>>>Snort-devel mailing list
>>>>>Snort-devel at lists.sourceforge.net
>>>>>https://lists.sourceforge.net/lists/listinfo/snort-devel
>>>>>
>>>>
>>>>_______________________________________________
>>>>Snort-devel mailing list
>>>>Snort-devel at lists.sourceforge.net
>>>>https://lists.sourceforge.net/lists/listinfo/snort-devel
>>>>
>>>
>>___________________________________________________________________________
>>
>___
>
>>>ifrance.com, l'email gratuit le plus complet de l'Internet !
>>>vos emails depuis un navigateur, en POP3, sur Minitel, sur le WAP...
>>>http://www.ifrance.com/_reloc/email.emailif
>>>
>>>
>>
>
>
> 
>______________________________________________________________________________
>ifrance.com, l'email gratuit le plus complet de l'Internet !
>vos emails depuis un navigateur, en POP3, sur Minitel, sur le WAP...
>http://www.ifrance.com/_reloc/email.emailif
>
>
>
>_______________________________________________
>Snort-devel mailing list
>Snort-devel at lists.sourceforge.net
>https://lists.sourceforge.net/lists/listinfo/snort-devel
>






More information about the Snort-devel mailing list