[Snort-devel] Custom dynamic preprocessor - How to display alert message passed to alertAdd func?

Seshaiah Erugu (serugu) serugu at ...3461...
Thu Sep 22 04:59:38 EDT 2016


Hi Jan,

To generate alert as you expect with dynamic user data you have to add this rule to preprocessor.rules file.  Please refer the following example.

Example #

The following  is the reference code to implement the preprocessor alert.  Please refer the complete code.

1 )  Add your rule to preprocessor.rules file.

                  Ex # alert ( msg: "SMTP_RESPONSE_OVERFLOW"; sid: 3; gid: 124; rev: 1; metadata: rule-type preproc, service smtp, policy security-ips drop ; classtype:attempted-user; reference:cve,2002-1090; )

2 )  Write a wrapper function and call _dpd.addAlert from this function.

                    Ex #  	 ./dynamic-preprocessors/smtp/smtp_log.c

                                                 void SMTP_GenerateAlert(int event, char *format, ...)
 			{

            				 ------------
           				  ------------
          				  ---------------
           
          				 smtp_event[event][0] = '\0';
          				 vsnprintf(&smtp_event[event][0], EVENT_STR_LEN - 1, format, ap);
           				smtp_event[event][EVENT_STR_LEN - 1] = '\0';

         				 _dpd.alertAdd(GENERATOR_SMTP, event, 1, 0, 3, &smtp_event[event][0], 0);

         				  ----------
          				 ----------
          				 -----------

			}

      
3 ) Where ever you want to generate alert , please call your GenerateAlert function with proper data.
                    
                         Ex #  SMTP_GenerateAlert(SMTP_RESPONSE_OVERFLOW, "%s: %d chars", SMTP_RESPONSE_OVERFLOW_STR, resp_line_len);

                In your case you should call Generatealert function inside "IF"

                    if (parsed.src_user_name == "bad_intruder") {

                                   gid=100000; sid=9000000; revision=1; classification=0; priority=3; rule_info=0;

                                    msg=src_user_name + " attacks " + dest_address;

                                     XXXX_GenerateAlert (sid, msg, len); }


  Please check the following functions for adding #define

                                   ./dynamic-preprocessors/smtp/smtp_log.h

                                                        #define SMTP_RESPONSE_OVERFLOW      3
                                                         #define SMTP_RESPONSE_OVERFLOW_STR       "(smtp) Attempted response buffer overflow"


                                        ./generators.h

                                   #define GENERATOR_SMTP                             124
                                  #define     SMTP_RESPONSE_OVERFLOW                 3



Refer  SMTP_RESPONSE_OVERFLOW  alert code you will get complete understanding.
Let me know you need any more info.	



Thanks,
Seshaiah Erugu.

-----Original Message-----
From: Jan Hermes [mailto:jan.hermes at ...3632...] 
Sent: Wednesday, September 21, 2016 7:27 PM
To: snort-devel at lists.sourceforge.net
Subject: [Snort-devel] Custom dynamic preprocessor - How to display alert message passed to alertAdd func?

Hello,

I built a dynamic preprocessor and would like it to create several specific alert messages. Let me give you a short example with some fictional assumptions:

- the preproc parses specific protocols that are not native for snort

- let's say the protocol is: [src_address, dest_address, src_user_name]

- the preprocessor parses all this information from the packet

- if the src_user_name equals "bad_intruder", I want an alert to be generated (of course the easified concatenation and comparison of strings is only for better reading):
------------------------------------------------------

if (parsed.src_user_name == "bad_intruder") {

     gid=100000; sid=9000000; revision=1; classification=0; priority=3; rule_info=0;

     msg=src_user_name + " attacks " + dest_address;

      _dpd.alertAdd(gid, sid, revision, classification, priority, msg, rule_info); }
-------------------------------------------------------

- the local.rules file has this entry:
        alert (sid: 9000000; gid: 100000; msg: "alarm"; rev: 1 )

- the output I get from the alert detection is:
         09/21-13:30:18.178080  [**] [100000:9000000:1] alarm [**]

- But I would like it to display the way I passed it within the preprocessor's code, e.g.:

         09/21-13:30:18.178080  [**] [100000:9000000:1] bad_intruder attacks 172.223.9.151 [**]


How can I achieve this? I already tried to omit the message in the 
local.rules which leaves me without any message at all..

Thanks,
Jan



------------------------------------------------------------------------------
_______________________________________________
Snort-devel mailing list
Snort-devel at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!




More information about the Snort-devel mailing list