[Snort-devel] (Need Input!!) Re: Output plugin like Unixsock for W32

Spacefox cagoule at ...1278...
Mon Apr 29 12:02:48 EDT 2002


Yes a single socket option would be preferable... if commands starts
to differ from the OS snort is running...humm :-/ and since this command
would do strictly the same thing in *NIX and Win boxes... only some
code makes the difference :-)

> >It would be cool to have something like -A socket 192.168.0.2 (for

> But, to use IP address is counter to the idea of using a file handle for
> the socket. Given unpredictable  changes to network topologies, what is
> to prevent 192.168.0.2 being suddenly routed through the interface that
> snort is sniffing?
> I know, usually an internal IP won't ever be routed through the
> firewall, but if we allow arbitrary IP addresses, then snort can be
> sniffing its own socket alert traffic.  Hmmmm.......  seems to require
> an extra rule
> "pass <local_IP_addr> any -> <socket_IP_addr> any"
> which is what I think we should avoid.

Yes I agree with you but my idea was to do it in TCP AND over SSL,
why ? Simply because UDP has no SYN/ACK, so more than easily hijackable,
and for security, a TCP stream is better I think... In my case, I want to
have
a remote console (my machine) and snort is running on "snorted_IP", if
someone
wants to mess up with me... he could flood me with crafted packets with
"snorted_IP" as source IP and with fake alerts, then my console is flooded
with fake alerts, while maybe some real bad things are happening... This is
not impossible to do that TCP... but much much harder ;-)

Now, why I want to SSL the alerts outputed ? Simply because when it will be
encrypted, the snort plugin will be able to send alerts to the
socket_IP_addr
and it will be decrypted by the host that is supposed to receive these
alerts.
So Snort won't sniff its own alerts... it will sniff an encrypted stream and
it will
even harder to hijack (except if it happens at the start).
I think it would be ok... just snort would sniff one more time the alert
packet
(but being encrypted that time... ).

> Also, the current unix socket is a SOCK_DGRAM mode socket, so backward
> compatibility would be preserved.

Yes... I agree, but it seems like the unix socket plugin is not so used,
maybe it's
the moment to make something brand new ;-)


Spacefox
Pack X Crew
http://www.packx.net


> >>Yes, I am planning on continuing the socket feature for W32 in 1.9.x..
> >>But I am seeking input from the developer community on the issues I
> >>raised below.
> >>I think in winsock2 there is a file-based socket that W32 systems
> >>support, but I haven't tried it.
> >>Such a socket would obviate the need for use of the loopback IP address.
> >>So, I am interested in some discussion of this on the devel list first.
> >>In any case, I would be doing this in the next month approximately.
> >>
> >>Cheers! >>>>RWT
> >>
> >>Spacefox wrote:
> >>
> >>>Hey !
> >>>
> >>>Do you plan to continue your plugin ? I'm thinking to write one that
> >>>
> >would
> >
> >>>work also over SSL (to get alerts and their details on a remote host).
If
> >>>snort is running on a machine I can't access physically, is there a
way,
> >>>now,
> >>>to get informations on my machine ?
> >>>
> >>Yes, sockets are the best way to do this.
> >>
> >>>
> >>>Thank you very much,
> >>>
> >>>Spacefox
> >>>Pack X Crew
> >>>http://www.packx.net
> >>>
> >>>----- Original Message -----
> >>>From: "Dr. Richard W. Tibbs" <tewg at ...1280...>
> >>>To: "Spacefox" <cagoule at ...1278...>
> >>>Cc: <snort-devel at lists.sourceforge.net>
> >>>Sent: Friday, April 19, 2002 7:41 PM
> >>>Subject: Re: [Snort-devel] Output plugin like Unixsock for W32
> >>>
> >>>
> >>>>In fact, I began (and completed ) such a feature in snort 1.8.4 in  a
> >>>>Win2000 environement. Just did this locally to allow some snorting on
my
> >>>>Win2K box. It works by using the  loopback Ip addr.  Pretty simple
only
> >>>>a few lines of code.
> >>>>I have meant to propose doing it in 1.9 to the devel list, but I
noticed
> >>>>a lot of MS visual C++ project issues on the list, and was waiting for
> >>>>things to settle down. Looks like they have, and
> >>>>I would like to re-up on my offer.
> >>>>
> >>>>THere are a few design decisions for a general feature such as this.
> >>>>Here is an email I sent (off-list) a couple of weeks back. Maybe this
> >>>>can rekindle discussion:
> >>>>
> >>>>There are a few design decisions we should consider for 1.9.
> >>>>For example:
> >>>>1) As Fyodor noted, we could offer the loopback socket (-A lbsock ?)
> >>>>feature independently of -A unsock. On *nix, both would work; on win2k
> >>>>only lbsock.  So we would need an extra -A parm recognized. That would
> >>>>be reasonably easy, but would take some more coding. Otherwise, as it
> >>>>currently stands -A unsock activates a true Unix socket
> >>>>(AF_UNIX,SOCK_DGRAM) on *nix platforms, or an AF_INET,SOCK_DGRAM
socket
> >>>>on w2k. Might seem confusing, but documentation could certainly take
> >>>>care of clarifying it, if a new command line option is to be avoided.
> >>>>
> >>>>2) In order to prevent snort from sniffing its own socket packets
(when
> >>>>loopback routes to HOME_NET, or whatever iface snort is sniffing),
there
> >>>>needs to be a rule in snort.conf (or induced upon cmd option -A
unsock)
> >>>>like:
> >>>>var LOOP_BACK 127.0.0.1
> >>>>var SOCK_PORT 46070      # same port as defined in snort.h
> >>>>pass udp $LOOP_BACK $SOCK_PORT -> $LOOP_BACK $SOCK_PORT
> >>>>....
> >>>>Does such a rule create any IDS issues?
> >>>>
> >>>>AFN. >>RWT
> >>>>
> >>>>Spacefox wrote:
> >>>>
> >>>>>Hello !
> >>>>>
> >>>>>Does anyone knows if a plugin like unixsock has been coded in the
> >>>>>W32 environment ? I want to make a client/server application to get
> >>>>>snort informations with a remote host... This plugin would output
> >>>>>
> >>>everything
> >>>
> >>>>>(alerts, connexions, packets etc...).
> >>>>>
> >>>>>Thanks in advance.
> >>>>>
> >>>>>Spacefox
> >>>>>Pack X Crew
> >>>>>http://www.packx.net
> >>>>>
> >>>>>
> >>>>>
> >>>>>
>
>>>_________________________________________________________________________
_
> >>>
> >_
> >
> >>>___
> >>>
> >>>>>ifrance.com, l'email gratuit le plus complet de l'Internet !
> >>>>>vos emails depuis un navigateur, en POP3, sur Minitel, sur le WAP...
> >>>>>http://www.ifrance.com/_reloc/email.emailif
> >>>>>
> >>>>>
> >>>>>
> >>>>>_______________________________________________
> >>>>>Snort-devel mailing list
> >>>>>Snort-devel at lists.sourceforge.net
> >>>>>https://lists.sourceforge.net/lists/listinfo/snort-devel
> >>>>>
> >>>>
> >>>>_______________________________________________
> >>>>Snort-devel mailing list
> >>>>Snort-devel at lists.sourceforge.net
> >>>>https://lists.sourceforge.net/lists/listinfo/snort-devel
> >>>>
> >>>
>
>>__________________________________________________________________________
_
> >>
> >___
> >
> >>>ifrance.com, l'email gratuit le plus complet de l'Internet !
> >>>vos emails depuis un navigateur, en POP3, sur Minitel, sur le WAP...
> >>>http://www.ifrance.com/_reloc/email.emailif
> >>>
> >>>
> >>
> >
> >
> >
>
>___________________________________________________________________________
___
> >ifrance.com, l'email gratuit le plus complet de l'Internet !
> >vos emails depuis un navigateur, en POP3, sur Minitel, sur le WAP...
> >http://www.ifrance.com/_reloc/email.emailif
> >
> >
> >
> >_______________________________________________
> >Snort-devel mailing list
> >Snort-devel at lists.sourceforge.net
> >https://lists.sourceforge.net/lists/listinfo/snort-devel
> >
>
>

 
______________________________________________________________________________
ifrance.com, l'email gratuit le plus complet de l'Internet !
vos emails depuis un navigateur, en POP3, sur Minitel, sur le WAP...
http://www.ifrance.com/_reloc/email.emailif






More information about the Snort-devel mailing list