[Snort-devel] Output plugin like Unixsock for W32

Dr. Richard W. Tibbs tewg at ...1280...
Wed May 1 09:11:11 EDT 2002


I looked at this a while back.  It delivers a similar service via XML, 
and I suppose the SNML 0.2 DTD provides a fairly complete set of 
capabilities -- most importantly the option to get either headers or 
full packet (raw) data.
My personal objectives were to do some advanced statistics on the packet 
stream, so I preferred a minimalist approach.
That is, "good" = fewer protocal layers, direct OS kernel calls (I think 
sockets are mostly kernel space calls -- anyone know?).
The other concern I have is the ISO-8601 timestamp in the DTD.  It does 
not allow sufficient granularity for accurate packet arrival statistics. 
Perhaps that could be changed, or there is a GPS-precision timestamp 
definition that might be used as an additional option.

The use of http(s) would require (I guess) the limitation that only a 
cgi script, java server/servlet or javascript page could recieve the 
data in alert mode.  Would this be a limitation for quasi-real-time 
programming like statistics-on-the-fly?  
(In log mode, of course the XML plugin is perfect for remote secure 
connection. But what if the snort user does not wish to build a huge 
data file?)

Thoughts?  If the XML plugin works for your application, by all means go 
for it!  I am not sure it would be ideal for mine, but I am keeping an 
open mind....

 >>RWT

Spacefox wrote:

>Hi !
>
>I found something interesting yesterday night... on the CERT website I found
>a plugin that seems to do exactly what we need :
>
>http://www.cert.org/kb/snortxml/index.html
>
>This is able to send Alert/Logs on a remote socket, it supports https, tcp,
>udp,
>http, logging to a file, etc... The data is in XML. so that seems to do what
>we
>need isn't it ?
>
>Spacefox
>Pack X Crew
>http://www.packx.net
>
>
>
>----- Original Message -----
>From: "Spacefox" <cagoule at ...1278...>
>To: "Dr. Richard W. Tibbs" <tewg at ...1280...>
>Cc: <snort-devel at lists.sourceforge.net>
>Sent: Monday, April 29, 2002 9:52 PM
>Subject: [Snort-devel] (Need Input!!) Re: Output plugin like Unixsock for
>W32
>
>
>>Yes a single socket option would be preferable... if commands starts
>>to differ from the OS snort is running...humm :-/ and since this command
>>would do strictly the same thing in *NIX and Win boxes... only some
>>code makes the difference :-)
>>
>>>>It would be cool to have something like -A socket 192.168.0.2 (for
>>>>
>>>But, to use IP address is counter to the idea of using a file handle for
>>>the socket. Given unpredictable  changes to network topologies, what is
>>>to prevent 192.168.0.2 being suddenly routed through the interface that
>>>snort is sniffing?
>>>I know, usually an internal IP won't ever be routed through the
>>>firewall, but if we allow arbitrary IP addresses, then snort can be
>>>sniffing its own socket alert traffic.  Hmmmm.......  seems to require
>>>an extra rule
>>>"pass <local_IP_addr> any -> <socket_IP_addr> any"
>>>which is what I think we should avoid.
>>>
>>Yes I agree with you but my idea was to do it in TCP AND over SSL,
>>why ? Simply because UDP has no SYN/ACK, so more than easily hijackable,
>>and for security, a TCP stream is better I think... In my case, I want to
>>have
>>a remote console (my machine) and snort is running on "snorted_IP", if
>>someone
>>wants to mess up with me... he could flood me with crafted packets with
>>"snorted_IP" as source IP and with fake alerts, then my console is flooded
>>with fake alerts, while maybe some real bad things are happening... This
>>
>is
>
>>not impossible to do that TCP... but much much harder ;-)
>>
>>Now, why I want to SSL the alerts outputed ? Simply because when it will
>>
>be
>
>>encrypted, the snort plugin will be able to send alerts to the
>>socket_IP_addr
>>and it will be decrypted by the host that is supposed to receive these
>>alerts.
>>So Snort won't sniff its own alerts... it will sniff an encrypted stream
>>
>and
>
>>it will
>>even harder to hijack (except if it happens at the start).
>>I think it would be ok... just snort would sniff one more time the alert
>>packet
>>(but being encrypted that time... ).
>>
>>>Also, the current unix socket is a SOCK_DGRAM mode socket, so backward
>>>compatibility would be preserved.
>>>
>>Yes... I agree, but it seems like the unix socket plugin is not so used,
>>maybe it's
>>the moment to make something brand new ;-)
>>
>>
>>Spacefox
>>Pack X Crew
>>http://www.packx.net
>>
>>
>>>>>Yes, I am planning on continuing the socket feature for W32 in 1.9.x..
>>>>>But I am seeking input from the developer community on the issues I
>>>>>raised below.
>>>>>I think in winsock2 there is a file-based socket that W32 systems
>>>>>support, but I haven't tried it.
>>>>>Such a socket would obviate the need for use of the loopback IP
>>>>>
>address.
>
>>>>>So, I am interested in some discussion of this on the devel list
>>>>>
>first.
>
>>>>>In any case, I would be doing this in the next month approximately.
>>>>>
>>>>>Cheers! >>>>RWT
>>>>>
>>>>>Spacefox wrote:
>>>>>
>>>>>>Hey !
>>>>>>
>>>>>>Do you plan to continue your plugin ? I'm thinking to write one that
>>>>>>
>>>>would
>>>>
>>>>>>work also over SSL (to get alerts and their details on a remote
>>>>>>
>host).
>
>>If
>>
>>>>>>snort is running on a machine I can't access physically, is there a
>>>>>>
>>way,
>>
>>>>>>now,
>>>>>>to get informations on my machine ?
>>>>>>
>>>>>Yes, sockets are the best way to do this.
>>>>>
>>>>>>Thank you very much,
>>>>>>
>>>>>>Spacefox
>>>>>>Pack X Crew
>>>>>>http://www.packx.net
>>>>>>
>>>>>>----- Original Message -----
>>>>>>From: "Dr. Richard W. Tibbs" <tewg at ...1280...>
>>>>>>To: "Spacefox" <cagoule at ...1278...>
>>>>>>Cc: <snort-devel at lists.sourceforge.net>
>>>>>>Sent: Friday, April 19, 2002 7:41 PM
>>>>>>Subject: Re: [Snort-devel] Output plugin like Unixsock for W32
>>>>>>
>>>>>>
>>>>>>>In fact, I began (and completed ) such a feature in snort 1.8.4 in
>>>>>>>
>a
>
>>>>>>>Win2000 environement. Just did this locally to allow some snorting
>>>>>>>
>on
>
>>my
>>
>>>>>>>Win2K box. It works by using the  loopback Ip addr.  Pretty simple
>>>>>>>
>>only
>>
>>>>>>>a few lines of code.
>>>>>>>I have meant to propose doing it in 1.9 to the devel list, but I
>>>>>>>
>>noticed
>>
>>>>>>>a lot of MS visual C++ project issues on the list, and was waiting
>>>>>>>
>for
>
>>>>>>>things to settle down. Looks like they have, and
>>>>>>>I would like to re-up on my offer.
>>>>>>>
>>>>>>>THere are a few design decisions for a general feature such as this.
>>>>>>>Here is an email I sent (off-list) a couple of weeks back. Maybe
>>>>>>>
>this
>
>>>>>>>can rekindle discussion:
>>>>>>>
>>>>>>>There are a few design decisions we should consider for 1.9.
>>>>>>>For example:
>>>>>>>1) As Fyodor noted, we could offer the loopback socket (-A lbsock ?)
>>>>>>>feature independently of -A unsock. On *nix, both would work; on
>>>>>>>
>win2k
>
>>>>>>>only lbsock.  So we would need an extra -A parm recognized. That
>>>>>>>
>would
>
>>>>>>>be reasonably easy, but would take some more coding. Otherwise, as
>>>>>>>
>it
>
>>>>>>>currently stands -A unsock activates a true Unix socket
>>>>>>>(AF_UNIX,SOCK_DGRAM) on *nix platforms, or an AF_INET,SOCK_DGRAM
>>>>>>>
>>socket
>>
>>>>>>>on w2k. Might seem confusing, but documentation could certainly take
>>>>>>>care of clarifying it, if a new command line option is to be
>>>>>>>
>avoided.
>
>>>>>>>2) In order to prevent snort from sniffing its own socket packets
>>>>>>>
>>(when
>>
>>>>>>>loopback routes to HOME_NET, or whatever iface snort is sniffing),
>>>>>>>
>>there
>>
>>>>>>>needs to be a rule in snort.conf (or induced upon cmd option -A
>>>>>>>
>>unsock)
>>
>>>>>>>like:
>>>>>>>var LOOP_BACK 127.0.0.1
>>>>>>>var SOCK_PORT 46070      # same port as defined in snort.h
>>>>>>>pass udp $LOOP_BACK $SOCK_PORT -> $LOOP_BACK $SOCK_PORT
>>>>>>>....
>>>>>>>Does such a rule create any IDS issues?
>>>>>>>
>>>>>>>AFN. >>RWT
>>>>>>>
>>>>>>>Spacefox wrote:
>>>>>>>
>>>>>>>>Hello !
>>>>>>>>
>>>>>>>>Does anyone knows if a plugin like unixsock has been coded in the
>>>>>>>>W32 environment ? I want to make a client/server application to get
>>>>>>>>snort informations with a remote host... This plugin would output
>>>>>>>>
>>>>>>everything
>>>>>>
>>>>>>>>(alerts, connexions, packets etc...).
>>>>>>>>
>>>>>>>>Thanks in advance.
>>>>>>>>
>>>>>>>>Spacefox
>>>>>>>>Pack X Crew
>>>>>>>>http://www.packx.net
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>_________________________________________________________________________
>>>>
>>_
>>
>>>>_
>>>>
>>>>>>___
>>>>>>
>>>>>>>>ifrance.com, l'email gratuit le plus complet de l'Internet !
>>>>>>>>vos emails depuis un navigateur, en POP3, sur Minitel, sur le
>>>>>>>>
>WAP...
>
>>>>>>>>http://www.ifrance.com/_reloc/email.emailif
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>_______________________________________________
>>>>>>>>Snort-devel mailing list
>>>>>>>>Snort-devel at lists.sourceforge.net
>>>>>>>>https://lists.sourceforge.net/lists/listinfo/snort-devel
>>>>>>>>
>>>>>>>_______________________________________________
>>>>>>>Snort-devel mailing list
>>>>>>>Snort-devel at lists.sourceforge.net
>>>>>>>https://lists.sourceforge.net/lists/listinfo/snort-devel
>>>>>>>
>>>__________________________________________________________________________
>>>
>>_
>>
>>>>___
>>>>
>>>>>>ifrance.com, l'email gratuit le plus complet de l'Internet !
>>>>>>vos emails depuis un navigateur, en POP3, sur Minitel, sur le WAP...
>>>>>>http://www.ifrance.com/_reloc/email.emailif
>>>>>>
>>>>>>
>>>>
>>>>
>>___________________________________________________________________________
>>___
>>
>>>>ifrance.com, l'email gratuit le plus complet de l'Internet !
>>>>vos emails depuis un navigateur, en POP3, sur Minitel, sur le WAP...
>>>>http://www.ifrance.com/_reloc/email.emailif
>>>>
>>>>
>>>>
>>>>_______________________________________________
>>>>Snort-devel mailing list
>>>>Snort-devel at lists.sourceforge.net
>>>>https://lists.sourceforge.net/lists/listinfo/snort-devel
>>>>
>>>
>>
>>
>____________________________________________________________________________
>__
>
>>ifrance.com, l'email gratuit le plus complet de l'Internet !
>>vos emails depuis un navigateur, en POP3, sur Minitel, sur le WAP...
>>http://www.ifrance.com/_reloc/email.emailif
>>
>>
>>
>>_______________________________________________
>>Snort-devel mailing list
>>Snort-devel at lists.sourceforge.net
>>https://lists.sourceforge.net/lists/listinfo/snort-devel
>>
>
> 
>______________________________________________________________________________
>ifrance.com, l'email gratuit le plus complet de l'Internet !
>vos emails depuis un navigateur, en POP3, sur Minitel, sur le WAP...
>http://www.ifrance.com/_reloc/email.emailif
>
>
>






More information about the Snort-devel mailing list