[Snort-devel] Output plugin like Unixsock for W32

Spacefox cagoule at ...1278...
Wed May 1 04:42:02 EDT 2002


Hi !

I found something interesting yesterday night... on the CERT website I found
a plugin that seems to do exactly what we need :

http://www.cert.org/kb/snortxml/index.html

This is able to send Alert/Logs on a remote socket, it supports https, tcp,
udp,
http, logging to a file, etc... The data is in XML. so that seems to do what
we
need isn't it ?

Spacefox
Pack X Crew
http://www.packx.net



----- Original Message -----
From: "Spacefox" <cagoule at ...1278...>
To: "Dr. Richard W. Tibbs" <tewg at ...1280...>
Cc: <snort-devel at lists.sourceforge.net>
Sent: Monday, April 29, 2002 9:52 PM
Subject: [Snort-devel] (Need Input!!) Re: Output plugin like Unixsock for
W32


> Yes a single socket option would be preferable... if commands starts
> to differ from the OS snort is running...humm :-/ and since this command
> would do strictly the same thing in *NIX and Win boxes... only some
> code makes the difference :-)
>
> > >It would be cool to have something like -A socket 192.168.0.2 (for
>
> > But, to use IP address is counter to the idea of using a file handle for
> > the socket. Given unpredictable  changes to network topologies, what is
> > to prevent 192.168.0.2 being suddenly routed through the interface that
> > snort is sniffing?
> > I know, usually an internal IP won't ever be routed through the
> > firewall, but if we allow arbitrary IP addresses, then snort can be
> > sniffing its own socket alert traffic.  Hmmmm.......  seems to require
> > an extra rule
> > "pass <local_IP_addr> any -> <socket_IP_addr> any"
> > which is what I think we should avoid.
>
> Yes I agree with you but my idea was to do it in TCP AND over SSL,
> why ? Simply because UDP has no SYN/ACK, so more than easily hijackable,
> and for security, a TCP stream is better I think... In my case, I want to
> have
> a remote console (my machine) and snort is running on "snorted_IP", if
> someone
> wants to mess up with me... he could flood me with crafted packets with
> "snorted_IP" as source IP and with fake alerts, then my console is flooded
> with fake alerts, while maybe some real bad things are happening... This
is
> not impossible to do that TCP... but much much harder ;-)
>
> Now, why I want to SSL the alerts outputed ? Simply because when it will
be
> encrypted, the snort plugin will be able to send alerts to the
> socket_IP_addr
> and it will be decrypted by the host that is supposed to receive these
> alerts.
> So Snort won't sniff its own alerts... it will sniff an encrypted stream
and
> it will
> even harder to hijack (except if it happens at the start).
> I think it would be ok... just snort would sniff one more time the alert
> packet
> (but being encrypted that time... ).
>
> > Also, the current unix socket is a SOCK_DGRAM mode socket, so backward
> > compatibility would be preserved.
>
> Yes... I agree, but it seems like the unix socket plugin is not so used,
> maybe it's
> the moment to make something brand new ;-)
>
>
> Spacefox
> Pack X Crew
> http://www.packx.net
>
>
> > >>Yes, I am planning on continuing the socket feature for W32 in 1.9.x..
> > >>But I am seeking input from the developer community on the issues I
> > >>raised below.
> > >>I think in winsock2 there is a file-based socket that W32 systems
> > >>support, but I haven't tried it.
> > >>Such a socket would obviate the need for use of the loopback IP
address.
> > >>So, I am interested in some discussion of this on the devel list
first.
> > >>In any case, I would be doing this in the next month approximately.
> > >>
> > >>Cheers! >>>>RWT
> > >>
> > >>Spacefox wrote:
> > >>
> > >>>Hey !
> > >>>
> > >>>Do you plan to continue your plugin ? I'm thinking to write one that
> > >>>
> > >would
> > >
> > >>>work also over SSL (to get alerts and their details on a remote
host).
> If
> > >>>snort is running on a machine I can't access physically, is there a
> way,
> > >>>now,
> > >>>to get informations on my machine ?
> > >>>
> > >>Yes, sockets are the best way to do this.
> > >>
> > >>>
> > >>>Thank you very much,
> > >>>
> > >>>Spacefox
> > >>>Pack X Crew
> > >>>http://www.packx.net
> > >>>
> > >>>----- Original Message -----
> > >>>From: "Dr. Richard W. Tibbs" <tewg at ...1280...>
> > >>>To: "Spacefox" <cagoule at ...1278...>
> > >>>Cc: <snort-devel at lists.sourceforge.net>
> > >>>Sent: Friday, April 19, 2002 7:41 PM
> > >>>Subject: Re: [Snort-devel] Output plugin like Unixsock for W32
> > >>>
> > >>>
> > >>>>In fact, I began (and completed ) such a feature in snort 1.8.4 in
a
> > >>>>Win2000 environement. Just did this locally to allow some snorting
on
> my
> > >>>>Win2K box. It works by using the  loopback Ip addr.  Pretty simple
> only
> > >>>>a few lines of code.
> > >>>>I have meant to propose doing it in 1.9 to the devel list, but I
> noticed
> > >>>>a lot of MS visual C++ project issues on the list, and was waiting
for
> > >>>>things to settle down. Looks like they have, and
> > >>>>I would like to re-up on my offer.
> > >>>>
> > >>>>THere are a few design decisions for a general feature such as this.
> > >>>>Here is an email I sent (off-list) a couple of weeks back. Maybe
this
> > >>>>can rekindle discussion:
> > >>>>
> > >>>>There are a few design decisions we should consider for 1.9.
> > >>>>For example:
> > >>>>1) As Fyodor noted, we could offer the loopback socket (-A lbsock ?)
> > >>>>feature independently of -A unsock. On *nix, both would work; on
win2k
> > >>>>only lbsock.  So we would need an extra -A parm recognized. That
would
> > >>>>be reasonably easy, but would take some more coding. Otherwise, as
it
> > >>>>currently stands -A unsock activates a true Unix socket
> > >>>>(AF_UNIX,SOCK_DGRAM) on *nix platforms, or an AF_INET,SOCK_DGRAM
> socket
> > >>>>on w2k. Might seem confusing, but documentation could certainly take
> > >>>>care of clarifying it, if a new command line option is to be
avoided.
> > >>>>
> > >>>>2) In order to prevent snort from sniffing its own socket packets
> (when
> > >>>>loopback routes to HOME_NET, or whatever iface snort is sniffing),
> there
> > >>>>needs to be a rule in snort.conf (or induced upon cmd option -A
> unsock)
> > >>>>like:
> > >>>>var LOOP_BACK 127.0.0.1
> > >>>>var SOCK_PORT 46070      # same port as defined in snort.h
> > >>>>pass udp $LOOP_BACK $SOCK_PORT -> $LOOP_BACK $SOCK_PORT
> > >>>>....
> > >>>>Does such a rule create any IDS issues?
> > >>>>
> > >>>>AFN. >>RWT
> > >>>>
> > >>>>Spacefox wrote:
> > >>>>
> > >>>>>Hello !
> > >>>>>
> > >>>>>Does anyone knows if a plugin like unixsock has been coded in the
> > >>>>>W32 environment ? I want to make a client/server application to get
> > >>>>>snort informations with a remote host... This plugin would output
> > >>>>>
> > >>>everything
> > >>>
> > >>>>>(alerts, connexions, packets etc...).
> > >>>>>
> > >>>>>Thanks in advance.
> > >>>>>
> > >>>>>Spacefox
> > >>>>>Pack X Crew
> > >>>>>http://www.packx.net
> > >>>>>
> > >>>>>
> > >>>>>
> > >>>>>
> >
>
>>>_________________________________________________________________________
> _
> > >>>
> > >_
> > >
> > >>>___
> > >>>
> > >>>>>ifrance.com, l'email gratuit le plus complet de l'Internet !
> > >>>>>vos emails depuis un navigateur, en POP3, sur Minitel, sur le
WAP...
> > >>>>>http://www.ifrance.com/_reloc/email.emailif
> > >>>>>
> > >>>>>
> > >>>>>
> > >>>>>_______________________________________________
> > >>>>>Snort-devel mailing list
> > >>>>>Snort-devel at lists.sourceforge.net
> > >>>>>https://lists.sourceforge.net/lists/listinfo/snort-devel
> > >>>>>
> > >>>>
> > >>>>_______________________________________________
> > >>>>Snort-devel mailing list
> > >>>>Snort-devel at lists.sourceforge.net
> > >>>>https://lists.sourceforge.net/lists/listinfo/snort-devel
> > >>>>
> > >>>
> >
>
>>__________________________________________________________________________
> _
> > >>
> > >___
> > >
> > >>>ifrance.com, l'email gratuit le plus complet de l'Internet !
> > >>>vos emails depuis un navigateur, en POP3, sur Minitel, sur le WAP...
> > >>>http://www.ifrance.com/_reloc/email.emailif
> > >>>
> > >>>
> > >>
> > >
> > >
> > >
> >
>
>___________________________________________________________________________
> ___
> > >ifrance.com, l'email gratuit le plus complet de l'Internet !
> > >vos emails depuis un navigateur, en POP3, sur Minitel, sur le WAP...
> > >http://www.ifrance.com/_reloc/email.emailif
> > >
> > >
> > >
> > >_______________________________________________
> > >Snort-devel mailing list
> > >Snort-devel at lists.sourceforge.net
> > >https://lists.sourceforge.net/lists/listinfo/snort-devel
> > >
> >
> >
>
>
>
____________________________________________________________________________
__
> ifrance.com, l'email gratuit le plus complet de l'Internet !
> vos emails depuis un navigateur, en POP3, sur Minitel, sur le WAP...
> http://www.ifrance.com/_reloc/email.emailif
>
>
>
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel

 
______________________________________________________________________________
ifrance.com, l'email gratuit le plus complet de l'Internet !
vos emails depuis un navigateur, en POP3, sur Minitel, sur le WAP...
http://www.ifrance.com/_reloc/email.emailif






More information about the Snort-devel mailing list