[Snort-devel] Output plugin like Unixsock for W32

Spacefox cagoule at ...1278...
Thu May 2 04:19:03 EDT 2002


Well, it "could" be ok to me, I didn't try it yet... But in log mode, my
program
would listen to the output of this plugin, and then parse data, and it woud
let
me use what I need to display in my console. Of course a smaller plugin
could
be written for that (to suit exactly what I need)... But at leat this seems
to work,
it's supported and already integrated, so I was thinking about to base my
work
on this plugin :-)
Nevertheless, I would like to try it to see the output in alert/log mode to
see if
this is really suiting my needs :-) I have to check it soon, anyway keep me
informed about your work, I'm also interested :-)

Spacefox
Pack X Crew
http://www.packx.net

----- Original Message -----
From: "Dr. Richard W. Tibbs" <tewg at ...1280...>
To: "Spacefox" <cagoule at ...1278...>
Cc: <snort-devel at lists.sourceforge.net>
Sent: Wednesday, May 01, 2002 7:12 PM
Subject: Re: [Snort-devel] Output plugin like Unixsock for W32


> I looked at this a while back.  It delivers a similar service via XML,
> and I suppose the SNML 0.2 DTD provides a fairly complete set of
> capabilities -- most importantly the option to get either headers or
> full packet (raw) data.
> My personal objectives were to do some advanced statistics on the packet
> stream, so I preferred a minimalist approach.
> That is, "good" = fewer protocal layers, direct OS kernel calls (I think
> sockets are mostly kernel space calls -- anyone know?).
> The other concern I have is the ISO-8601 timestamp in the DTD.  It does
> not allow sufficient granularity for accurate packet arrival statistics.
> Perhaps that could be changed, or there is a GPS-precision timestamp
> definition that might be used as an additional option.
>
> The use of http(s) would require (I guess) the limitation that only a
> cgi script, java server/servlet or javascript page could recieve the
> data in alert mode.  Would this be a limitation for quasi-real-time
> programming like statistics-on-the-fly?
> (In log mode, of course the XML plugin is perfect for remote secure
> connection. But what if the snort user does not wish to build a huge
> data file?)
>
> Thoughts?  If the XML plugin works for your application, by all means go
> for it!  I am not sure it would be ideal for mine, but I am keeping an
> open mind....
>
>  >>RWT
>
> Spacefox wrote:
>
> >Hi !
> >
> >I found something interesting yesterday night... on the CERT website I
found
> >a plugin that seems to do exactly what we need :
> >
> >http://www.cert.org/kb/snortxml/index.html
> >
> >This is able to send Alert/Logs on a remote socket, it supports https,
tcp,
> >udp,
> >http, logging to a file, etc... The data is in XML. so that seems to do
what
> >we
> >need isn't it ?
> >
> >Spacefox
> >Pack X Crew
> >http://www.packx.net
> >
> >
> >
> >----- Original Message -----
> >From: "Spacefox" <cagoule at ...1278...>
> >To: "Dr. Richard W. Tibbs" <tewg at ...1280...>
> >Cc: <snort-devel at lists.sourceforge.net>
> >Sent: Monday, April 29, 2002 9:52 PM
> >Subject: [Snort-devel] (Need Input!!) Re: Output plugin like Unixsock for
> >W32
> >
> >
> >>Yes a single socket option would be preferable... if commands starts
> >>to differ from the OS snort is running...humm :-/ and since this command
> >>would do strictly the same thing in *NIX and Win boxes... only some
> >>code makes the difference :-)
> >>
> >>>>It would be cool to have something like -A socket 192.168.0.2 (for
> >>>>
> >>>But, to use IP address is counter to the idea of using a file handle
for
> >>>the socket. Given unpredictable  changes to network topologies, what is
> >>>to prevent 192.168.0.2 being suddenly routed through the interface that
> >>>snort is sniffing?
> >>>I know, usually an internal IP won't ever be routed through the
> >>>firewall, but if we allow arbitrary IP addresses, then snort can be
> >>>sniffing its own socket alert traffic.  Hmmmm.......  seems to require
> >>>an extra rule
> >>>"pass <local_IP_addr> any -> <socket_IP_addr> any"
> >>>which is what I think we should avoid.
> >>>
> >>Yes I agree with you but my idea was to do it in TCP AND over SSL,
> >>why ? Simply because UDP has no SYN/ACK, so more than easily hijackable,
> >>and for security, a TCP stream is better I think... In my case, I want
to
> >>have
> >>a remote console (my machine) and snort is running on "snorted_IP", if
> >>someone
> >>wants to mess up with me... he could flood me with crafted packets with
> >>"snorted_IP" as source IP and with fake alerts, then my console is
flooded
> >>with fake alerts, while maybe some real bad things are happening... This
> >>
> >is
> >
> >>not impossible to do that TCP... but much much harder ;-)
> >>
> >>Now, why I want to SSL the alerts outputed ? Simply because when it will
> >>
> >be
> >
> >>encrypted, the snort plugin will be able to send alerts to the
> >>socket_IP_addr
> >>and it will be decrypted by the host that is supposed to receive these
> >>alerts.
> >>So Snort won't sniff its own alerts... it will sniff an encrypted stream
> >>
> >and
> >
> >>it will
> >>even harder to hijack (except if it happens at the start).
> >>I think it would be ok... just snort would sniff one more time the alert
> >>packet
> >>(but being encrypted that time... ).
> >>
> >>>Also, the current unix socket is a SOCK_DGRAM mode socket, so backward
> >>>compatibility would be preserved.
> >>>
> >>Yes... I agree, but it seems like the unix socket plugin is not so used,
> >>maybe it's
> >>the moment to make something brand new ;-)
> >>
> >>
> >>Spacefox
> >>Pack X Crew
> >>http://www.packx.net
> >>
> >>
> >>>>>Yes, I am planning on continuing the socket feature for W32 in
1.9.x..
> >>>>>But I am seeking input from the developer community on the issues I
> >>>>>raised below.
> >>>>>I think in winsock2 there is a file-based socket that W32 systems
> >>>>>support, but I haven't tried it.
> >>>>>Such a socket would obviate the need for use of the loopback IP
> >>>>>
> >address.
> >
> >>>>>So, I am interested in some discussion of this on the devel list
> >>>>>
> >first.
> >
> >>>>>In any case, I would be doing this in the next month approximately.
> >>>>>
> >>>>>Cheers! >>>>RWT
> >>>>>
> >>>>>Spacefox wrote:
> >>>>>
> >>>>>>Hey !
> >>>>>>
> >>>>>>Do you plan to continue your plugin ? I'm thinking to write one that
> >>>>>>
> >>>>would
> >>>>
> >>>>>>work also over SSL (to get alerts and their details on a remote
> >>>>>>
> >host).
> >
> >>If
> >>
> >>>>>>snort is running on a machine I can't access physically, is there a
> >>>>>>
> >>way,
> >>
> >>>>>>now,
> >>>>>>to get informations on my machine ?
> >>>>>>
> >>>>>Yes, sockets are the best way to do this.
> >>>>>
> >>>>>>Thank you very much,
> >>>>>>
> >>>>>>Spacefox
> >>>>>>Pack X Crew
> >>>>>>http://www.packx.net
> >>>>>>
> >>>>>>----- Original Message -----
> >>>>>>From: "Dr. Richard W. Tibbs" <tewg at ...1280...>
> >>>>>>To: "Spacefox" <cagoule at ...1278...>
> >>>>>>Cc: <snort-devel at lists.sourceforge.net>
> >>>>>>Sent: Friday, April 19, 2002 7:41 PM
> >>>>>>Subject: Re: [Snort-devel] Output plugin like Unixsock for W32
> >>>>>>
> >>>>>>
> >>>>>>>In fact, I began (and completed ) such a feature in snort 1.8.4 in
> >>>>>>>
> >a
> >
> >>>>>>>Win2000 environement. Just did this locally to allow some snorting
> >>>>>>>
> >on
> >
> >>my
> >>
> >>>>>>>Win2K box. It works by using the  loopback Ip addr.  Pretty simple
> >>>>>>>
> >>only
> >>
> >>>>>>>a few lines of code.
> >>>>>>>I have meant to propose doing it in 1.9 to the devel list, but I
> >>>>>>>
> >>noticed
> >>
> >>>>>>>a lot of MS visual C++ project issues on the list, and was waiting
> >>>>>>>
> >for
> >
> >>>>>>>things to settle down. Looks like they have, and
> >>>>>>>I would like to re-up on my offer.
> >>>>>>>
> >>>>>>>THere are a few design decisions for a general feature such as
this.
> >>>>>>>Here is an email I sent (off-list) a couple of weeks back. Maybe
> >>>>>>>
> >this
> >
> >>>>>>>can rekindle discussion:
> >>>>>>>
> >>>>>>>There are a few design decisions we should consider for 1.9.
> >>>>>>>For example:
> >>>>>>>1) As Fyodor noted, we could offer the loopback socket (-A lbsock
?)
> >>>>>>>feature independently of -A unsock. On *nix, both would work; on
> >>>>>>>
> >win2k
> >
> >>>>>>>only lbsock.  So we would need an extra -A parm recognized. That
> >>>>>>>
> >would
> >
> >>>>>>>be reasonably easy, but would take some more coding. Otherwise, as
> >>>>>>>
> >it
> >
> >>>>>>>currently stands -A unsock activates a true Unix socket
> >>>>>>>(AF_UNIX,SOCK_DGRAM) on *nix platforms, or an AF_INET,SOCK_DGRAM
> >>>>>>>
> >>socket
> >>
> >>>>>>>on w2k. Might seem confusing, but documentation could certainly
take
> >>>>>>>care of clarifying it, if a new command line option is to be
> >>>>>>>
> >avoided.
> >
> >>>>>>>2) In order to prevent snort from sniffing its own socket packets
> >>>>>>>
> >>(when
> >>
> >>>>>>>loopback routes to HOME_NET, or whatever iface snort is sniffing),
> >>>>>>>
> >>there
> >>
> >>>>>>>needs to be a rule in snort.conf (or induced upon cmd option -A
> >>>>>>>
> >>unsock)
> >>
> >>>>>>>like:
> >>>>>>>var LOOP_BACK 127.0.0.1
> >>>>>>>var SOCK_PORT 46070      # same port as defined in snort.h
> >>>>>>>pass udp $LOOP_BACK $SOCK_PORT -> $LOOP_BACK $SOCK_PORT
> >>>>>>>....
> >>>>>>>Does such a rule create any IDS issues?
> >>>>>>>
> >>>>>>>AFN. >>RWT
> >>>>>>>
> >>>>>>>Spacefox wrote:
> >>>>>>>
> >>>>>>>>Hello !
> >>>>>>>>
> >>>>>>>>Does anyone knows if a plugin like unixsock has been coded in the
> >>>>>>>>W32 environment ? I want to make a client/server application to
get
> >>>>>>>>snort informations with a remote host... This plugin would output
> >>>>>>>>
> >>>>>>everything
> >>>>>>
> >>>>>>>>(alerts, connexions, packets etc...).
> >>>>>>>>
> >>>>>>>>Thanks in advance.
> >>>>>>>>
> >>>>>>>>Spacefox
> >>>>>>>>Pack X Crew
> >>>>>>>>http://www.packx.net
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
>
>>>>________________________________________________________________________
_
> >>>>
> >>_
> >>
> >>>>_
> >>>>
> >>>>>>___
> >>>>>>
> >>>>>>>>ifrance.com, l'email gratuit le plus complet de l'Internet !
> >>>>>>>>vos emails depuis un navigateur, en POP3, sur Minitel, sur le
> >>>>>>>>
> >WAP...
> >
> >>>>>>>>http://www.ifrance.com/_reloc/email.emailif
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>_______________________________________________
> >>>>>>>>Snort-devel mailing list
> >>>>>>>>Snort-devel at lists.sourceforge.net
> >>>>>>>>https://lists.sourceforge.net/lists/listinfo/snort-devel
> >>>>>>>>
> >>>>>>>_______________________________________________
> >>>>>>>Snort-devel mailing list
> >>>>>>>Snort-devel at lists.sourceforge.net
> >>>>>>>https://lists.sourceforge.net/lists/listinfo/snort-devel
> >>>>>>>
>
>>>_________________________________________________________________________
_
> >>>
> >>_
> >>
> >>>>___
> >>>>
> >>>>>>ifrance.com, l'email gratuit le plus complet de l'Internet !
> >>>>>>vos emails depuis un navigateur, en POP3, sur Minitel, sur le WAP...
> >>>>>>http://www.ifrance.com/_reloc/email.emailif
> >>>>>>
> >>>>>>
> >>>>
> >>>>
>
>>__________________________________________________________________________
_
> >>___
> >>
> >>>>ifrance.com, l'email gratuit le plus complet de l'Internet !
> >>>>vos emails depuis un navigateur, en POP3, sur Minitel, sur le WAP...
> >>>>http://www.ifrance.com/_reloc/email.emailif
> >>>>
> >>>>
> >>>>
> >>>>_______________________________________________
> >>>>Snort-devel mailing list
> >>>>Snort-devel at lists.sourceforge.net
> >>>>https://lists.sourceforge.net/lists/listinfo/snort-devel
> >>>>
> >>>
> >>
> >>
>
>___________________________________________________________________________
_
> >__
> >
> >>ifrance.com, l'email gratuit le plus complet de l'Internet !
> >>vos emails depuis un navigateur, en POP3, sur Minitel, sur le WAP...
> >>http://www.ifrance.com/_reloc/email.emailif
> >>
> >>
> >>
> >>_______________________________________________
> >>Snort-devel mailing list
> >>Snort-devel at lists.sourceforge.net
> >>https://lists.sourceforge.net/lists/listinfo/snort-devel
> >>
> >
> >
>
>___________________________________________________________________________
___
> >ifrance.com, l'email gratuit le plus complet de l'Internet !
> >vos emails depuis un navigateur, en POP3, sur Minitel, sur le WAP...
> >http://www.ifrance.com/_reloc/email.emailif
> >
> >
> >
>
>
>

 
______________________________________________________________________________
ifrance.com, l'email gratuit le plus complet de l'Internet !
vos emails depuis un navigateur, en POP3, sur Minitel, sur le WAP...
http://www.ifrance.com/_reloc/email.emailif






More information about the Snort-devel mailing list