[Snort-devel] Snort Supports SCTP

Joshua Kinard kumba at ...2185...
Mon May 20 13:52:01 EDT 2013


On 05/20/2013 1:20 AM, Joshua Kinard wrote:
> On 05/16/2013 7:53 AM, Russ Combs wrote:
>> It is on our radar, but there are no specific plans at this point.
>>
>> On Wed, May 15, 2013 at 5:06 AM, marwane azzouzi
>> <azzouzi.marwane at ...3292...> wrote:
>>>
>>> Hello,
>>>
>>> My question concerns the support of the SCTP protocol by Snort in a mobile
>>> context (SIGTRAN).
>>> I see that there is no preprocessor to decode the SCTP protocol such like
>>> SIP or HTTP preprocessors...
>>> Did the team intend to develop that feature?
>>>
>>> Any information ?
>>>
>>> Thx
>>>
>>> marwane
> 
> Try the attached.  I have a strange fascination with SCTP, so back in 2011,
> I copied the Stream5 UDP code and made a very generic SCTP Stream5 module,
> as well as duplicated all the code points where UDP was parsed to parse
> SCTP.  I also added a DecodeSCTP function and various helpers to decode.c,
> and other bits that I'm not going to enumerate here.  I just updated all the
> code today to work with snort-2.9.4.6, and tested it on both IPv4 and
> IPv6-based packet captures that I managed to hunt down off of Google.
[snip]

Oops, I almost forgot to mention, I have a bunch of raw printf() statements
left over in decoder.c from debugging.  Remove those if they get too
annoying with the supplied patch (to be added after the first two).  I've
only tested this code on the handful of SCTP packet captures off of Google,
as I do not have a real SCTP setup to generate live traffic.


-- 
Joshua Kinard
Gentoo/MIPS
kumba at ...2185...
4096R/D25D95E3 2011-03-28

"The past tempts us, the present confuses us, the future frightens us.  And
our lives slip away, moment by moment, lost in that vast, terrible in-between."

--Emperor Turhan, Centauri Republic
-------------- next part --------------
diff --git a/src/decode.c b/src/decode.c
index 8aac65b..9d7bbb2 100644
--- a/src/decode.c
+++ b/src/decode.c
@@ -3105,7 +3105,6 @@ void SctpChunkTests(Packet *p, const SctpChunk *sctp_chunk)
     {
         /* DATA Chunk */
         case SCTP_DATA_C:
-            printf("DEBUG: Got DATA chunk!\n");
             CHECK_CHUNK_LENGTH(DATA, SCTP_DATA_C_LEN)
 
             /*
@@ -3130,7 +3129,6 @@ void SctpChunkTests(Packet *p, const SctpChunk *sctp_chunk)
 
         /* INIT Chunk */
         case SCTP_INIT_C:
-            printf("DEBUG: Got INIT chunk!\n");
             CHECK_CHUNK_LENGTH(INIT, SCTP_INIT_C_LEN)
             CHECK_CHUNK_FLAGS_ARE_ZERO(INIT)
 
@@ -3173,7 +3171,6 @@ void SctpChunkTests(Packet *p, const SctpChunk *sctp_chunk)
 
         /* INIT ACK Chunk */
         case SCTP_INIT_ACK_C:
-            printf("DEBUG: Got INIT_ACK chunk!\n");
             CHECK_CHUNK_LENGTH(INIT_ACK, SCTP_INIT_ACK_C_LEN)
             CHECK_CHUNK_FLAGS_ARE_ZERO(INIT_ACK)
 
@@ -3208,7 +3205,6 @@ void SctpChunkTests(Packet *p, const SctpChunk *sctp_chunk)
 
         /* SACK Chunk */
         case SCTP_SACK_C:
-            printf("DEBUG: Got SACK chunk!\n");
             CHECK_CHUNK_LENGTH(SACK, SCTP_SACK_C_LEN)
             CHECK_CHUNK_FLAGS_ARE_ZERO(SACK)
 
@@ -3216,7 +3212,6 @@ void SctpChunkTests(Packet *p, const SctpChunk *sctp_chunk)
 
         /* HEARTBEAT Chunk */
         case SCTP_HEARTBEAT_C:
-            printf("DEBUG: Got HEARTBEAT chunk!\n");
             CHECK_CHUNK_LENGTH(HEARTBEAT, SCTP_HEARTBEAT_C_LEN)
             CHECK_CHUNK_FLAGS_ARE_ZERO(HEARTBEAT)
 
@@ -3224,7 +3219,6 @@ void SctpChunkTests(Packet *p, const SctpChunk *sctp_chunk)
 
         /* HEARTBEAT_ACK Chunk */
         case SCTP_HEARTBEAT_ACK_C:
-            printf("DEBUG: Got HEARTBEAT_ACK chunk!\n");
             CHECK_CHUNK_LENGTH(HEARTBEAT_ACK, SCTP_HEARTBEAT_ACK_C_LEN)
             CHECK_CHUNK_FLAGS_ARE_ZERO(HEARTBEAT_ACK)
 
@@ -3232,7 +3226,6 @@ void SctpChunkTests(Packet *p, const SctpChunk *sctp_chunk)
 
         /* ABORT Chunk */
         case SCTP_ABORT_C:
-            printf("DEBUG: Got ABORT chunk!\n");
             CHECK_CHUNK_LENGTH(ABORT, SCTP_ABORT_C_LEN)
 
             /* Make sure the ABORT chunk's reserved area in flags is 0. */
@@ -3250,7 +3243,6 @@ void SctpChunkTests(Packet *p, const SctpChunk *sctp_chunk)
 
         /* SHUTDOWN Chunk */
         case SCTP_SHUTDOWN_C:
-            printf("DEBUG: Got SHUTDOWN chunk!\n");
             CHECK_CHUNK_LENGTH(SHUTDOWN, SCTP_SHUTDOWN_C_LEN)
             CHECK_CHUNK_FLAGS_ARE_ZERO(SHUTDOWN)
 
@@ -3258,7 +3250,6 @@ void SctpChunkTests(Packet *p, const SctpChunk *sctp_chunk)
 
         /* SHUTDOWN_ACK Chunk */
         case SCTP_SHUTDOWN_ACK_C:
-            printf("DEBUG: Got SHUTDOWN_ACK chunk!\n");
             CHECK_CHUNK_LENGTH(SHUTDOWN_ACK, SCTP_SHUTDOWN_ACK_C_LEN)
             CHECK_CHUNK_FLAGS_ARE_ZERO(SHUTDOWN_ACK)
 
@@ -3266,7 +3257,6 @@ void SctpChunkTests(Packet *p, const SctpChunk *sctp_chunk)
 
         /* ERROR Chunk */
         case SCTP_ERROR_C:
-            printf("DEBUG: Got ERROR chunk!\n");
             CHECK_CHUNK_LENGTH(ERROR, SCTP_ERROR_C_LEN)
             CHECK_CHUNK_FLAGS_ARE_ZERO(ERROR)
 
@@ -3276,7 +3266,6 @@ void SctpChunkTests(Packet *p, const SctpChunk *sctp_chunk)
 
         /* COOKIE_ECHO Chunk */
         case SCTP_COOKIE_ECHO_C:
-            printf("DEBUG: Got COOKIE_ECHO chunk!\n");
             CHECK_CHUNK_LENGTH(COOKIE_ECHO, SCTP_COOKIE_ECHO_C_LEN)
             CHECK_CHUNK_FLAGS_ARE_ZERO(COOKIE_ECHO)
 
@@ -3284,7 +3273,6 @@ void SctpChunkTests(Packet *p, const SctpChunk *sctp_chunk)
 
         /* COOKIE_ACK Chunk */
         case SCTP_COOKIE_ACK_C:
-            printf("DEBUG: Got COOKIE_ACK chunk!\n");
             CHECK_CHUNK_LENGTH(COOKIE_ACK, SCTP_COOKIE_ACK_C_LEN)
             CHECK_CHUNK_FLAGS_ARE_ZERO(COOKIE_ACK)
 
@@ -3292,7 +3280,6 @@ void SctpChunkTests(Packet *p, const SctpChunk *sctp_chunk)
 
         /* ECNE Chunk */
         case SCTP_ECNE_C:
-            printf("DEBUG: Got ECNE chunk!\n");
             CHECK_CHUNK_LENGTH(ECNE, SCTP_ECNE_C_LEN)
             CHECK_CHUNK_FLAGS_ARE_ZERO(ECNE)
 
@@ -3300,7 +3287,6 @@ void SctpChunkTests(Packet *p, const SctpChunk *sctp_chunk)
 
         /* CWR Chunk */
         case SCTP_CWR_C:
-            printf("DEBUG: Got CWR chunk!\n");
             CHECK_CHUNK_LENGTH(CWR, SCTP_CWR_C_LEN)
             CHECK_CHUNK_FLAGS_ARE_ZERO(CWR)
 
@@ -3308,7 +3294,6 @@ void SctpChunkTests(Packet *p, const SctpChunk *sctp_chunk)
 
         /* SHUTDOWN_COMPLETE Chunk */
         case SCTP_SHUTDOWN_COMPLETE_C:
-            printf("DEBUG: Got SHUTDOWN_COMPLETE chunk!\n");
             CHECK_CHUNK_LENGTH(SHUTDOWN_COMPLETE, SCTP_SHUTDOWN_COMPLETE_C_LEN)
 
             /* Make sure the SHUTDOWN_COMPLETE chunk's reserved area in flags is 0. */
@@ -3323,7 +3308,6 @@ void SctpChunkTests(Packet *p, const SctpChunk *sctp_chunk)
 
         /* AUTH Chunk */
         case SCTP_AUTH_C:
-            printf("DEBUG: Got AUTH chunk!\n");
             CHECK_CHUNK_LENGTH(AUTH, SCTP_AUTH_C_LEN)
             CHECK_CHUNK_FLAGS_ARE_ZERO(AUTH)
 
@@ -3331,7 +3315,6 @@ void SctpChunkTests(Packet *p, const SctpChunk *sctp_chunk)
 
         /* ASCONF_ACK Chunk */
         case SCTP_ASCONF_ACK_C:
-            printf("DEBUG: Got ASCONF_ACK chunk!\n");
             CHECK_CHUNK_LENGTH(ASCONF_ACK, SCTP_ASCONF_ACK_C_LEN)
             CHECK_CHUNK_FLAGS_ARE_ZERO(ASCONF_ACK)
 
@@ -3339,7 +3322,6 @@ void SctpChunkTests(Packet *p, const SctpChunk *sctp_chunk)
 
         /* PKTDROP Chunk */
         case SCTP_PKTDROP_C:
-            printf("DEBUG: Got PKTDROP chunk!\n");
             CHECK_CHUNK_LENGTH(PKTDROP, SCTP_PKTDROP_C_LEN)
 
             /* Make sure the PKTDROP chunk's reserved area in flags is 0. */
@@ -3361,7 +3343,6 @@ void SctpChunkTests(Packet *p, const SctpChunk *sctp_chunk)
 
         /* RE-CONFIG Chunk */
         case SCTP_RECONFIG_C:
-            printf("DEBUG: Got RE-CONFIG chunk!\n");
             CHECK_CHUNK_LENGTH(RECONFIG, SCTP_RECONFIG_C_LEN)
             CHECK_CHUNK_FLAGS_ARE_ZERO(RECONFIG)
 
@@ -3369,7 +3350,6 @@ void SctpChunkTests(Packet *p, const SctpChunk *sctp_chunk)
 
         /* PAD Chunk */
         case SCTP_PAD_C:
-            printf("DEBUG: Got PAD chunk!\n");
             CHECK_CHUNK_LENGTH(PAD, SCTP_PAD_C_LEN)
             CHECK_CHUNK_FLAGS_ARE_ZERO(PAD)
 
@@ -3377,7 +3357,6 @@ void SctpChunkTests(Packet *p, const SctpChunk *sctp_chunk)
 
         /* FORWARD_TSN Chunk */
         case SCTP_FORWARD_TSN_C:
-            printf("DEBUG: Got FORWARD_TSN chunk!\n");
             CHECK_CHUNK_LENGTH(FORWARD_TSN, SCTP_FORWARD_TSN_C_LEN)
             CHECK_CHUNK_FLAGS_ARE_ZERO(FORWARD_TSN)
 
@@ -3385,7 +3364,6 @@ void SctpChunkTests(Packet *p, const SctpChunk *sctp_chunk)
 
         /* ASCONF Chunk */
         case SCTP_ASCONF_C:
-            printf("DEBUG: Got ASCONF chunk!\n");
             CHECK_CHUNK_LENGTH(ASCONF, SCTP_ASCONF_C_LEN)
             CHECK_CHUNK_FLAGS_ARE_ZERO(ASCONF)
 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 834 bytes
Desc: OpenPGP digital signature
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20130520/5d1f5876/attachment.sig>


More information about the Snort-devel mailing list