[Snort-devel] Snort-devel Digest, Vol 98, Issue 7

Muhammad Ridwan Zalbina zalbinaridwan at ...2499...
Mon Sep 29 05:03:59 EDT 2014


hello, i'm new here ...
i wanna ask something about snort developer ..
is there a way to modify preprocessor of snort to combine with Web
Application FIrewall like modsecurity ...
if so, can you tell me the way ... ?

On Fri, Sep 26, 2014 at 8:17 PM, <snort-devel-request at lists.sourceforge.net>
wrote:

> Send Snort-devel mailing list submissions to
>         snort-devel at lists.sourceforge.net
>
> To subscribe or unsubscribe via the World Wide Web, visit
>         https://lists.sourceforge.net/lists/listinfo/snort-devel
> or, via email, send a message with subject or body 'help' to
>         snort-devel-request at lists.sourceforge.net
>
> You can reach the person managing the list at
>         snort-devel-owner at lists.sourceforge.net
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Snort-devel digest..."
>
>
> Today's Topics:
>
>    1. Re: How to log an IP address in dpx.c ? (Emiliano Fausto)
>    2. DAQ output (Eugenio Perez)
>    3. Possible to configure snort for an alternative to /etc for
>       default conf. files? (Rich Burridge)
>    4. Re: Possible to configure snort for an alternative to /etc
>       for default conf. files? (Rich Burridge)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Tue, 16 Sep 2014 12:48:40 -0300
> From: Emiliano Fausto <emiliano.fausto at ...2499...>
> Subject: Re: [Snort-devel] How to log an IP address in dpx.c ?
> To: "Zeeuw, L.V. de" <l.v.de.zeeuw at ...3504...>
> Cc: "snort-devel at lists.sourceforge.net"
>         <snort-devel at lists.sourceforge.net>
> Message-ID:
>         <CAD2H3x8b=-NgD+fme_+nfAOEY7=cuSk-T1=
> k3gujpV2JdzF0kA at ...2500...>
> Content-Type: text/plain; charset="utf-8"
>
> That's great!
>
> Regards,
> Emi
>
> 2014-09-16 11:47 GMT-03:00 Zeeuw, L.V. de <l.v.de.zeeuw at ...3504...>:
>
> > Hi Emiliano (and Steven),
> >
> > working on the code you provided previously, this code will do the job
> for
> > me:
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> > * IP4Hdr iphd;    sfip_t iphdt;     iphd = p->inner_ip4h;    iphdt =
> > iphd.ip_src;    unsigned char *ipV4address = (unsigned char*) &iphdt.ip;
> > _dpd.logMsg("IPsource %u.%u.%u.%u\n",*ipV4address,
> > *(ipV4address+1),*(ipV4address+2),*(ipV4address+3));    iphdt =
> > iphd.ip_dst;    _dpd.logMsg("IPdestination %u.%u.%u.%u\n",*ipV4address,
> > *(ipV4address+1),*(ipV4address+2),*(ipV4address+3));*
> >
> > Using the test.pcap as input file.
> >
> > Output:
> > ..
> >
> >
> >
> > *IPsource 10.9.8.7IPdestination 10.4.5.6..*
> > Thank you both for your time.
> >
> > Regards,
> >
> > Luc
> >
> >
> > >>> Emiliano Fausto <emiliano.fausto at ...2499...> 09/15/14 3:12 PM >>>
> >
> > Hello Luc,
> >
> > what if you try with something like this?
> >
> > _dpd.logMsg( "Test: IP: %u.%u.%u.%u PORT: %u\n", (src_ip_test>> 24) &
> > 0xFF, (src_ip_test >> 16) & 0xFF, (src_ip_test >> 8) & 0xFF, (src_ip_test
> > >> 0) & 0xFF,
> > src_port_test);
> >
> > Maybe there's a better way, but hope it helps.
> >
> > Regards,
> > Emiliano.
> >
> > 2014-09-15 9:59 GMT-03:00 Zeeuw, L.V. de <l.v.de.zeeuw at ...3504...>:
> >
> >> Hi Emiliano,
> >>
> >> I still trying to log the IP4 source en IP4 destination addresses in
> >> dotted decimal format.
> >>
> >> I was too fast in my opinion that everything worked fine using the code
> >> you provided previously. I hope you will help me once again (or anyone
> >> else) to figure out what is wrong.
> >>
> >> When I am adding this code to the dpx.c (from the dpx-1.6.tar.gz)
> >> <https://webmail.hro.nl/gw/dpx-1.6.tar.gz%29> just before the last }
> >>
> >>
> >>
> >>
> >> *IP4Hdr iphd;sfip_t iphdt;*
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >> *iphdt = iphd.ip_src;unsigned char* ipsrcp_test = (unsigned char*)
> &iphdt.ip;unsigned int src_ip_test = (*ipsrcp_test << 24) +
> (*(ipsrcp_test+1) << 16) + \(*(ipsrcp_test+2) << 8) + *(ipsrcp_test+3);
> unsigned short int src_port_test = \p->src_port;iphdt =
> iphd.ip_dst;unsigned char* ipdstp_test = (unsigned char*)
> &iphdt.ip;unsigned int dst_ip_test = (*ipdstp_test << 24) +
> (*(ipdstp_test+1) << 16) + \(*(ipdstp_test+2) << 8) + *(ipdstp_test+3);
> unsigned short int dst_port_test = \p->dst_port; _dpd.logMsg("\tTest:
> ipsrc%u portsrc%u ipdst%u \portDst%u\n",src_ip_test,src_port_test,
> dst_ip_test,dst_port_test);*
> >>
> >>
> >> I can not find the correct IP address output (the port numbers are
> >> correct) when running ./test.sh (using test.pcap as input)
> >>
> >>
> >>
> >>
> >>
> >>
> >> *Test: ipsrc16777216 portsrc12345 ipdst0         portDst8Test:
> >> ipsrc16777216 portsrc8 ipdst0     portDst12345Test: ipsrc16777216
> >> portsrc12345 ipdst0         portDst80Test: ipsrc16777216 portsrc12345
> >> ipdst0         portDst8Test: ipsrc16777216 portsrc8 ipdst0
> >> portDst12345Test: ipsrc16777216 portsrc12345 ipdst0         portDst80*
> >>
> >> The IPsrc should be 10.1.2.3 ...
> >> The IPdst should be 10.4.5.6 ...
> >>
> >> I can not figure out what is wrong. Any help is appreciated.
> >>
> >> Regards,
> >>
> >> Luc
> >>
> >>
> >>
> >>
> >>
> >>
> >> >>> Zeeuw, L.V. de 07/25/14 9:19 AM >>>
> >> Hi Emiliano,
> >>
> >> thank you! I have tried this and indeed it works fine if I use
> >>
> >>    IP4Hdr iphd;
> >>    sfip_t iphdt;
> >>
> >> for the declaration.
> >>
> >> These code snippets are very useful!
> >>
> >> Regards,
> >>
> >> Luc
> >>
> >>
> >>
> >> >>> Emiliano Fausto <emiliano.fausto at ...2499...> 07/24/14 6:49 PM >>>
> >> Hello Luc,
> >>
> >> I've tried this testing and it works fine:
> >>
> >>
> >> iphdt = iphd.ip_src;
> >> unsigned char* ipsrcp_test = (unsigned char*) &iphdt.ip;
> >> unsigned int src_ip_test = (*ipsrcp_test << 24) + (*(ipsrcp_test+1) <<
> 16) + (*(ipsrcp_test+2) << 8) + *(ipsrcp_test+3);
> >> unsigned short int src_port_test = p->src_port;
> >>
> >> iphdt = iphd.ip_dst;
> >> unsigned char* ipdstp_test = (unsigned char*) &iphdt.ip;
> >> unsigned int dst_ip_test = (*ipdstp_test << 24) + (*(ipdstp_test+1) <<
> 16) + (*(ipdstp_test+2) << 8) + *(ipdstp_test+3);
> >> unsigned short int dst_port_test = p->dst_port;
> >> _dpd.logMsg("\tTest: ipsrc%u portsrc%u ipdst%u
> portDst%u\n",src_ip_test,src_port_test, dst_ip_test,dst_port_test);
> >>
> >>
> >> Hope it helps,
> >> Emiliano.
> >>
> >>
> >> 2014-07-24 10:35 GMT-03:00 Zeeuw, L.V. de <l.v.de.zeeuw at ...3504...>:
> >>
> >>> Hi,
> >>>
> >>> i am experimenting with the dpx. Its working. Now i started adding some
> >>> statements to view the content ip4/tcp headers. I am able log things
> like
> >>> src/dst, TCP payload size, etc.
> >>>
> >>>
> >>> *SFSnortPacket* p = (SFSnortPacket*)pkt;*
> >>>
> >>> *_dpd.logMsg("Source port: %i, Destination port: %i\n",p->src_port,
> >>> p->dst_port);_dpd.logMsg("Payload size %i\n",p->payload_size); *
> >>> but from sf_snort_packet.h and sf_ip.h  (??) i do not know how to log
> an
> >>> ip-address ...
> >>>
> >>> I should like to ...
> >>>
> >>>
> >>>
> >>> *_dpd.logMsg("Source ip %?? \n", ?????);*BTW: Are there any recent
> >>> books/tutorials for these kind of questions you would recommend? What
> about
> >>> Snort development documentation for the most recent Snort version?
> >>>
> >>> Any help is appreciated.
> >>>
> >>> Regards,
> >>>
> >>> Luc
> >>>
> >>> the Netherlands
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> ------------------------------------------------------------------------------
> >>> Want fast and easy access to all the code in your enterprise? Index and
> >>> search up to 200,000 lines of code with a free copy of Black Duck
> >>> Code Sight - the same software that powers the world's largest code
> >>> search on Ohloh, the Black Duck Open Hub! Try it now.
> >>> http://p.sf.net/sfu/bds
> >>> _______________________________________________
> >>> Snort-devel mailing list
> >>> Snort-devel at lists.sourceforge.net
> >>> https://lists.sourceforge.net/lists/listinfo/snort-devel
> >>> Archive:
> >>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel
> >>>
> >>> Please visit http://blog.snort.org for the latest news about Snort!
> >>>
> >>
> >>
> >
> -------------- next part --------------
> An HTML attachment was scrubbed...
>
> ------------------------------
>
> Message: 2
> Date: Wed, 24 Sep 2014 10:20:30 +0200
> From: Eugenio Perez <eugenio at ...3500...>
> Subject: [Snort-devel] DAQ output
> To: snort-devel at lists.sourceforge.net
> Message-ID:
>         <
> CACJcbv2b4wO8tVapdgNhmuUJ++QwhkhycCeAvzC6ag6TWvNdBg at ...2500...>
> Content-Type: text/plain; charset=UTF-8
>
> Hi everyone.
>
> Is there any way to do DAQ logging from daq_acquire() function? I have
> only seen two ways so far:
> - Raw fprintf, so I can't be homogeneous with snort logging
> - Break and return some kind of error (that I definitely don't want
> to, because I only want to report a log, not break)
>
> Thanks for all and regards.
>
>
>
> ------------------------------
>
> Message: 3
> Date: Thu, 25 Sep 2014 14:20:08 -0700
> From: Rich Burridge <rich.burridge at ...3515...>
> Subject: [Snort-devel] Possible to configure snort for an alternative
>         to /etc for default conf. files?
> To: snort-devel at lists.sourceforge.net
> Message-ID: <54248708.3030805 at ...3515...>
> Content-Type: text/plain; charset=utf-8; format=flowed
>
> Hi,
>
> Is it possible to build snort from source (a configure option that I'm
> overlooking
> perhaps), so that it looks for its various default configuration files
> (like
> snort.conf) under (say) /etc/snort instead of directly under /etc ?
>
> I did notice:
>
> --sysconfdir=DIR        read-only single-machine data [PREFIX/etc]
>
> when I did "configure --help", but I'm not sure that's the solution.
>  From a quick
> glance at the snort source code, looking directly under "/etc/" seems to
> be baked in.
>
> I do know about the "-c" runtime option to allow a different conf file,
> but I'm the guy
> that creates the snort package for Solaris. I've been asked to consider
> that the default
> install for snort config files should be /etc/snort/... rather that
> /etc, so as not to
> "pollute" /etc.
>
> I'm just trying to determine if it's (easily) possible to do.
>
> Thanks.
>
>
>
>
>
> ------------------------------
>
> Message: 4
> Date: Fri, 26 Sep 2014 06:16:50 -0700
> From: Rich Burridge <rich.burridge at ...3515...>
> Subject: Re: [Snort-devel] Possible to configure snort for an
>         alternative to /etc for default conf. files?
> To: snort-devel at lists.sourceforge.net
> Message-ID: <54256742.5010909 at ...3515...>
> Content-Type: text/plain; charset="utf-8"
>
> I did a bit more investigation on this. I ran:
>
> $ sudo /usr/bin/snort -T
> ERROR: Test mode must be run with a snort configuration file.  Use the
> '-c' option on the command line to specify a configuration file.
> Fatal Error, Quitting..
>
> That seems to disagree with what the snort.8 man page says:
>
>       -T   Snort will start up in self-test mode, checking all the
>            supplied command line switches and rules files that are
>            handed to it and indicating that everything is ready to
>            proceed.   This  is a good switch to use if daemon mode
>            is going to be used, it verifies that the Snort  confi-
>            guration  that  is  about to be used is valid and won't
>            fail  at  run  time.  Note,  Snort  looks  for   either
>            /etc/snort.conf  or ./snort.conf.  If your config lives
>            elsewhere,  use  the  -c  option  to  specify  a  valid
>            config-file.
>
> I then truss'ed (Solaris equivalent of Linux strace), and sure enough,
> snort doesn't try to open /etc/snort.conf or ./snort.conf
>
> Trying:
>
> $ sudo /usr/bin/snort -T -c /etc/snort.conf
> Running in Test mode
>
>          --== Initializing Snort ==--
> Initializing Output Plugins!
> Initializing Preprocessors!
> Initializing Plug-ins!
> Parsing Rules file "/etc/snort.conf"
> ...
>
> works just fine.
>
> So is this just a case of the -T section in the snort.8 man page being
> wrong and you have to supply a configuration file at run time via the
> -c command line option?
>
> Thanks.
>
>
>
> -------- Forwarded Message --------
> Subject:        Possible to configure snort for an alternative to /etc for
> default conf. files?
> Date:   Thu, 25 Sep 2014 14:20:08 -0700
> From:   Rich Burridge <rich.burridge at ...3515...>
> To:     snort-devel at lists.sourceforge.net
>
>
>
> Hi,
>
> Is it possible to build snort from source (a configure option
> that I'm overlooking perhaps), so that it looks for its various
> default configuration files (like snort.conf) under (say)
> /etc/snort instead of directly under /etc ?
>
> I did notice:
>
> --sysconfdir=DIR        read-only single-machine data [PREFIX/etc]
>
> when I did "configure --help", but I'm not sure that's the solution.
>  From a quick glance at the snort source code, looking directly under
> "/etc/" seems to be baked in.
>
> I do know about the "-c" runtime option to allow a different conf
> file, but I'm the guy that creates the snort package for Solaris.
> I've been asked to consider that the default install for snort
> config files should be /etc/snort/... rather that /etc, so as not
> to "pollute" /etc.
>
> I'm just trying to determine if it's (easily) possible to do.
>
> Thanks.
>
>
>
>
> -------------- next part --------------
> An HTML attachment was scrubbed...
>
> ------------------------------
>
>
> ------------------------------------------------------------------------------
> Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
> Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports
> Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper
> Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer
>
> http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk
>
> ------------------------------
>
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
>
>
> End of Snort-devel Digest, Vol 98, Issue 7
> ******************************************
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20140929/9b50755a/attachment.html>


More information about the Snort-devel mailing list