[Snort-devel] Snort-devel Digest, Vol 98, Issue 7

Hui Cao (huica) huica at ...3461...
Tue Sep 30 15:00:52 EDT 2014


You can use snort preprocessor to work with firewall. I am not familiar with Web Application FIrewall like mod security, but I am sure this will involve lots of development.

Best,
Hui.

From: Muhammad Ridwan Zalbina <zalbinaridwan at ...2499...<mailto:zalbinaridwan at ...2499...>>
Date: Monday, September 29, 2014 at 5:03 AM
To: "snort-devel at lists.sourceforge.net<mailto:snort-devel at ...362....net>" <snort-devel at lists.sourceforge.net<mailto:snort-devel at ...2763...rge.net>>
Subject: Re: [Snort-devel] Snort-devel Digest, Vol 98, Issue 7

hello, i'm new here ...
i wanna ask something about snort developer ..
is there a way to modify preprocessor of snort to combine with Web Application FIrewall like modsecurity ...
if so, can you tell me the way ... ?

On Fri, Sep 26, 2014 at 8:17 PM, <snort-devel-request at lists.sourceforge.net<mailto:snort-devel-request at lists.sourceforge.net>> wrote:
Send Snort-devel mailing list submissions to
        snort-devel at lists.sourceforge.net<mailto:snort-devel at ...2763...rge.net>

To subscribe or unsubscribe via the World Wide Web, visit
        https://lists.sourceforge.net/lists/listinfo/snort-devel
or, via email, send a message with subject or body 'help' to
        snort-devel-request at lists.sourceforge.net<mailto:snort-devel-request at lists.sourceforge.net>

You can reach the person managing the list at
        snort-devel-owner at lists.sourceforge.net<mailto:snort-devel-owner at ...2859...sts.sourceforge.net>

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Snort-devel digest..."


Today's Topics:

   1. Re: How to log an IP address in dpx.c ? (Emiliano Fausto)
   2. DAQ output (Eugenio Perez)
   3. Possible to configure snort for an alternative to /etc for
      default conf. files? (Rich Burridge)
   4. Re: Possible to configure snort for an alternative to /etc
      for default conf. files? (Rich Burridge)


----------------------------------------------------------------------

Message: 1
Date: Tue, 16 Sep 2014 12:48:40 -0300
From: Emiliano Fausto <emiliano.fausto at ...2499...<mailto:emiliano.fausto at ...1066....2499...>>
Subject: Re: [Snort-devel] How to log an IP address in dpx.c ?
To: "Zeeuw, L.V. de" <l.v.de.zeeuw at ...3504...<mailto:l.v.de.zeeuw at ...3518....>>
Cc: "snort-devel at lists.sourceforge.net<mailto:snort-devel at ...362....net>"
        <snort-devel at lists.sourceforge.net<mailto:snort-devel at ...1954...orge.net>>
Message-ID:
        <CAD2H3x8b=-NgD+fme_+nfAOEY7=cuSk-T1=k3gujpV2JdzF0kA at ...3521.....<mailto:k3gujpV2JdzF0kA at ...2500...>>
Content-Type: text/plain; charset="utf-8"

That's great!

Regards,
Emi

2014-09-16 11:47 GMT-03:00 Zeeuw, L.V. de <l.v.de.zeeuw at ...3504...<mailto:l.v.de.zeeuw at ...3504...>>:

> Hi Emiliano (and Steven),
>
> working on the code you provided previously, this code will do the job for
> me:
>
>
>
>
>
>
>
>
>
>
>
>
>
> * IP4Hdr iphd;    sfip_t iphdt;     iphd = p->inner_ip4h;    iphdt =
> iphd.ip_src;    unsigned char *ipV4address = (unsigned char*) &iphdt.ip;
> _dpd.logMsg("IPsource %u.%u.%u.%u\n",*ipV4address,
> *(ipV4address+1),*(ipV4address+2),*(ipV4address+3));    iphdt =
> iphd.ip_dst;    _dpd.logMsg("IPdestination %u.%u.%u.%u\n",*ipV4address,
> *(ipV4address+1),*(ipV4address+2),*(ipV4address+3));*
>
> Using the test.pcap as input file.
>
> Output:
> ..
>
>
>
> *IPsource 10.9.8.7IPdestination 10.4.5.6..*
> Thank you both for your time.
>
> Regards,
>
> Luc
>
>
> >>> Emiliano Fausto <emiliano.fausto at ...2499...<mailto:emiliano.fausto at ...1066....2499...>> 09/15/14 3:12 PM >>>
>
> Hello Luc,
>
> what if you try with something like this?
>
> _dpd.logMsg( "Test: IP: %u.%u.%u.%u PORT: %u\n", (src_ip_test>> 24) &
> 0xFF, (src_ip_test >> 16) & 0xFF, (src_ip_test >> 8) & 0xFF, (src_ip_test
> >> 0) & 0xFF,
> src_port_test);
>
> Maybe there's a better way, but hope it helps.
>
> Regards,
> Emiliano.
>
> 2014-09-15 9:59 GMT-03:00 Zeeuw, L.V. de <l.v.de.zeeuw at ...3504...<mailto:l.v.de.zeeuw at ...3504...>>:
>
>> Hi Emiliano,
>>
>> I still trying to log the IP4 source en IP4 destination addresses in
>> dotted decimal format.
>>
>> I was too fast in my opinion that everything worked fine using the code
>> you provided previously. I hope you will help me once again (or anyone
>> else) to figure out what is wrong.
>>
>> When I am adding this code to the dpx.c (from the dpx-1.6.tar.gz)
>> <https://webmail.hro.nl/gw/dpx-1.6.tar.gz%29> just before the last }
>>
>>
>>
>>
>> *IP4Hdr iphd;sfip_t iphdt;*
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> *iphdt = iphd.ip_src;unsigned char* ipsrcp_test = (unsigned char*) &iphdt.ip;unsigned int src_ip_test = (*ipsrcp_test << 24) + (*(ipsrcp_test+1) << 16) + \(*(ipsrcp_test+2) << 8) + *(ipsrcp_test+3); unsigned short int src_port_test = \p->src_port;iphdt = iphd.ip_dst;unsigned char* ipdstp_test = (unsigned char*) &iphdt.ip;unsigned int dst_ip_test = (*ipdstp_test << 24) + (*(ipdstp_test+1) << 16) + \(*(ipdstp_test+2) << 8) + *(ipdstp_test+3); unsigned short int dst_port_test = \p->dst_port; _dpd.logMsg("\tTest: ipsrc%u portsrc%u ipdst%u \portDst%u\n",src_ip_test,src_port_test, dst_ip_test,dst_port_test);*
>>
>>
>> I can not find the correct IP address output (the port numbers are
>> correct) when running ./test.sh (using test.pcap as input)
>>
>>
>>
>>
>>
>>
>> *Test: ipsrc16777216 portsrc12345 ipdst0         portDst8Test:
>> ipsrc16777216 portsrc8 ipdst0     portDst12345Test: ipsrc16777216
>> portsrc12345 ipdst0         portDst80Test: ipsrc16777216 portsrc12345
>> ipdst0         portDst8Test: ipsrc16777216 portsrc8 ipdst0
>> portDst12345Test: ipsrc16777216 portsrc12345 ipdst0         portDst80*
>>
>> The IPsrc should be 10.1.2.3 ...
>> The IPdst should be 10.4.5.6 ...
>>
>> I can not figure out what is wrong. Any help is appreciated.
>>
>> Regards,
>>
>> Luc
>>
>>
>>
>>
>>
>>
>> >>> Zeeuw, L.V. de 07/25/14 9:19 AM >>>
>> Hi Emiliano,
>>
>> thank you! I have tried this and indeed it works fine if I use
>>
>>    IP4Hdr iphd;
>>    sfip_t iphdt;
>>
>> for the declaration.
>>
>> These code snippets are very useful!
>>
>> Regards,
>>
>> Luc
>>
>>
>>
>> >>> Emiliano Fausto <emiliano.fausto at ...2499...<mailto:emiliano.fausto at ...300.....2499...>> 07/24/14 6:49 PM >>>
>> Hello Luc,
>>
>> I've tried this testing and it works fine:
>>
>>
>> iphdt = iphd.ip_src;
>> unsigned char* ipsrcp_test = (unsigned char*) &iphdt.ip;
>> unsigned int src_ip_test = (*ipsrcp_test << 24) + (*(ipsrcp_test+1) << 16) + (*(ipsrcp_test+2) << 8) + *(ipsrcp_test+3);
>> unsigned short int src_port_test = p->src_port;
>>
>> iphdt = iphd.ip_dst;
>> unsigned char* ipdstp_test = (unsigned char*) &iphdt.ip;
>> unsigned int dst_ip_test = (*ipdstp_test << 24) + (*(ipdstp_test+1) << 16) + (*(ipdstp_test+2) << 8) + *(ipdstp_test+3);
>> unsigned short int dst_port_test = p->dst_port;
>> _dpd.logMsg("\tTest: ipsrc%u portsrc%u ipdst%u portDst%u\n",src_ip_test,src_port_test, dst_ip_test,dst_port_test);
>>
>>
>> Hope it helps,
>> Emiliano.
>>
>>
>> 2014-07-24 10:35 GMT-03:00 Zeeuw, L.V. de <l.v.de.zeeuw at ...3504...<mailto:l.v.de.zeeuw at ...3504...>>:
>>
>>> Hi,
>>>
>>> i am experimenting with the dpx. Its working. Now i started adding some
>>> statements to view the content ip4/tcp headers. I am able log things like
>>> src/dst, TCP payload size, etc.
>>>
>>>
>>> *SFSnortPacket* p = (SFSnortPacket*)pkt;*
>>>
>>> *_dpd.logMsg("Source port: %i, Destination port: %i\n",p->src_port,
>>> p->dst_port);_dpd.logMsg("Payload size %i\n",p->payload_size); *
>>> but from sf_snort_packet.h and sf_ip.h  (??) i do not know how to log an
>>> ip-address ...
>>>
>>> I should like to ...
>>>
>>>
>>>
>>> *_dpd.logMsg("Source ip %?? \n", ?????);*BTW: Are there any recent
>>> books/tutorials for these kind of questions you would recommend? What about
>>> Snort development documentation for the most recent Snort version?
>>>
>>> Any help is appreciated.
>>>
>>> Regards,
>>>
>>> Luc
>>>
>>> the Netherlands
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> Want fast and easy access to all the code in your enterprise? Index and
>>> search up to 200,000 lines of code with a free copy of Black Duck
>>> Code Sight - the same software that powers the world's largest code
>>> search on Ohloh, the Black Duck Open Hub! Try it now.
>>> http://p.sf.net/sfu/bds
>>> _______________________________________________
>>> Snort-devel mailing list
>>> Snort-devel at lists.sourceforge.net<mailto:Snort-devel at ...2402...net>
>>> https://lists.sourceforge.net/lists/listinfo/snort-devel
>>> Archive:
>>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel
>>>
>>> Please visit http://blog.snort.org for the latest news about Snort!
>>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...

------------------------------

Message: 2
Date: Wed, 24 Sep 2014 10:20:30 +0200
From: Eugenio Perez <eugenio at ...3500...<mailto:eugenio at ...3500...>>
Subject: [Snort-devel] DAQ output
To: snort-devel at lists.sourceforge.net<mailto:snort-devel at ...2402...net>
Message-ID:
        <CACJcbv2b4wO8tVapdgNhmuUJ++QwhkhycCeAvzC6ag6TWvNdBg at ...2500...<mailto:CACJcbv2b4wO8tVapdgNhmuUJ%2B%2BQwhkhycCeAvzC6ag6TWvNdBg at ...2500...>>
Content-Type: text/plain; charset=UTF-8

Hi everyone.

Is there any way to do DAQ logging from daq_acquire() function? I have
only seen two ways so far:
- Raw fprintf, so I can't be homogeneous with snort logging
- Break and return some kind of error (that I definitely don't want
to, because I only want to report a log, not break)

Thanks for all and regards.



------------------------------

Message: 3
Date: Thu, 25 Sep 2014 14:20:08 -0700
From: Rich Burridge <rich.burridge at ...3515...<mailto:rich.burridge at ...3522.....>>
Subject: [Snort-devel] Possible to configure snort for an alternative
        to /etc for default conf. files?
To: snort-devel at lists.sourceforge.net<mailto:snort-devel at ...2402...net>
Message-ID: <54248708.3030805 at ...3515...<mailto:54248708.3030805 at ...3515...>>
Content-Type: text/plain; charset=utf-8; format=flowed

Hi,

Is it possible to build snort from source (a configure option that I'm
overlooking
perhaps), so that it looks for its various default configuration files (like
snort.conf) under (say) /etc/snort instead of directly under /etc ?

I did notice:

--sysconfdir=DIR        read-only single-machine data [PREFIX/etc]

when I did "configure --help", but I'm not sure that's the solution.
 From a quick
glance at the snort source code, looking directly under "/etc/" seems to
be baked in.

I do know about the "-c" runtime option to allow a different conf file,
but I'm the guy
that creates the snort package for Solaris. I've been asked to consider
that the default
install for snort config files should be /etc/snort/... rather that
/etc, so as not to
"pollute" /etc.

I'm just trying to determine if it's (easily) possible to do.

Thanks.





------------------------------

Message: 4
Date: Fri, 26 Sep 2014 06:16:50 -0700
From: Rich Burridge <rich.burridge at ...3515...<mailto:rich.burridge at ...3522.....>>
Subject: Re: [Snort-devel] Possible to configure snort for an
        alternative to /etc for default conf. files?
To: snort-devel at lists.sourceforge.net<mailto:snort-devel at ...2402...net>
Message-ID: <54256742.5010909 at ...3515...<mailto:54256742.5010909 at ...3515...>>
Content-Type: text/plain; charset="utf-8"

I did a bit more investigation on this. I ran:

$ sudo /usr/bin/snort -T
ERROR: Test mode must be run with a snort configuration file.  Use the
'-c' option on the command line to specify a configuration file.
Fatal Error, Quitting..

That seems to disagree with what the snort.8 man page says:

      -T   Snort will start up in self-test mode, checking all the
           supplied command line switches and rules files that are
           handed to it and indicating that everything is ready to
           proceed.   This  is a good switch to use if daemon mode
           is going to be used, it verifies that the Snort  confi-
           guration  that  is  about to be used is valid and won't
           fail  at  run  time.  Note,  Snort  looks  for   either
           /etc/snort.conf  or ./snort.conf.  If your config lives
           elsewhere,  use  the  -c  option  to  specify  a  valid
           config-file.

I then truss'ed (Solaris equivalent of Linux strace), and sure enough,
snort doesn't try to open /etc/snort.conf or ./snort.conf

Trying:

$ sudo /usr/bin/snort -T -c /etc/snort.conf
Running in Test mode

         --== Initializing Snort ==--
Initializing Output Plugins!
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file "/etc/snort.conf"
...

works just fine.

So is this just a case of the -T section in the snort.8 man page being
wrong and you have to supply a configuration file at run time via the
-c command line option?

Thanks.



-------- Forwarded Message --------
Subject:        Possible to configure snort for an alternative to /etc for
default conf. files?
Date:   Thu, 25 Sep 2014 14:20:08 -0700
From:   Rich Burridge <rich.burridge at ...3515...<mailto:rich.burridge at ...3523...5...>>
To:     snort-devel at lists.sourceforge.net<mailto:snort-devel at ...2763...rge.net>



Hi,

Is it possible to build snort from source (a configure option
that I'm overlooking perhaps), so that it looks for its various
default configuration files (like snort.conf) under (say)
/etc/snort instead of directly under /etc ?

I did notice:

--sysconfdir=DIR        read-only single-machine data [PREFIX/etc]

when I did "configure --help", but I'm not sure that's the solution.
 From a quick glance at the snort source code, looking directly under
"/etc/" seems to be baked in.

I do know about the "-c" runtime option to allow a different conf
file, but I'm the guy that creates the snort package for Solaris.
I've been asked to consider that the default install for snort
config files should be /etc/snort/... rather that /etc, so as not
to "pollute" /etc.

I'm just trying to determine if it's (easily) possible to do.

Thanks.




-------------- next part --------------
An HTML attachment was scrubbed...

------------------------------

------------------------------------------------------------------------------
Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports
Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper
Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer
http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk

------------------------------

_______________________________________________
Snort-devel mailing list
Snort-devel at lists.sourceforge.net<mailto:Snort-devel at lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/snort-devel


End of Snort-devel Digest, Vol 98, Issue 7
******************************************

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20140930/b5ded2ec/attachment.html>


More information about the Snort-devel mailing list