[Snort-devel] Snort-devel Digest, Vol 128, Issue 1

Da Pozzo Matteo m.dapozzo at ...3663...
Fri Mar 17 11:16:21 EDT 2017


Hi Russ,

Thank you for your feedback.

An example could be when the sensor is placed inline but intercepts the DNS request originated by a client that is infected but the DNS query is intercepted from the internal DNS server to Internet DNS Server/root name servers so in this case we can see that the malicious DNS request was originated by the internal DNS Server and then we are not able to identify the real infected client. However we can try to adjust the DNS flows in order to intercept the Client to Internal DNS query but I think that parsing and logging to ECS options could be a useful feature (basically is the same logic of XFF for HTTP).

Regarding your question the answer is yes, I am just  looking to log extra data with an event, If we look to Firepower it could be useful to track the real client IP of the DNS Query in DNS security intelligence events and also in BLACKLIST-DNS events ). (if you want you can check this to obtain some traffic with this option: https://tools.keycdn.com/dig )

The RFC draft (7871) states that this option is for client subnet but in this case we need to intercept the client IP,  as you can see from the DIG output the implementation, the CLIENT-SUBNET also supports the CIDR notation with host mask:

; <<>> DiG 9.10.1 <<>> +additional google.com @8.8.4.4 +subnet=192.168.10.10
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18692
;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
; CLIENT-SUBNET: 192.168.10.10/32/0
;; QUESTION SECTION:
;google.com.                    IN      A

;; ANSWER SECTION:
google.com.             299     IN      A       209.85.147.101
google.com.             299     IN      A       209.85.147.100
google.com.             299     IN      A       209.85.147.139
google.com.             299     IN      A       209.85.147.102
google.com.             299     IN      A       209.85.147.113
google.com.             299     IN      A       209.85.147.138

;; Query time: 24 msec
;; SERVER: 8.8.4.4#53(8.8.4.4)
;; WHEN: Fri Mar 17 15:07:52 UTC 2017
;; MSG SIZE  rcvd: 147


I hope I was clear enough. Please, let me know your opinion.

Thanks in advance,

Best Regards.

Matteo


Matteo Da Pozzo

Communication Valley
Via Robert Koch, 1/4
20152 - Milano - ITALY
phone: +39 02 535761
mobile: +39 345 4954311
m.dapozzo at ...3663...
www.reply.it
-----Original Message-----
From: snort-devel-request at lists.sourceforge.net [mailto:snort-devel-request at lists.sourceforge.net]
Sent: venerdì 17 marzo 2017 15:22
To: snort-devel at lists.sourceforge.net
Subject: Snort-devel Digest, Vol 128, Issue 1

Send Snort-devel mailing list submissions to
        snort-devel at lists.sourceforge.net

To subscribe or unsubscribe via the World Wide Web, visit
        https://lists.sourceforge.net/lists/listinfo/snort-devel
or, via email, send a message with subject or body 'help' to
        snort-devel-request at lists.sourceforge.net

You can reach the person managing the list at
        snort-devel-owner at lists.sourceforge.net

When replying, please edit your Subject line so it is more specific than "Re: Contents of Snort-devel digest..."


Today's Topics:

   1. Snort 3.0 Alpha 4 has been released! (Snort Releases)
   2. EDNS-Client-Subnet ECS (Da Pozzo Matteo)
   3. Re: EDNS-Client-Subnet ECS (Russ)


----------------------------------------------------------------------

Message: 1
Date: Thu, 2 Mar 2017 12:24:00 -0500
From: Snort Releases <snortreleases at ...835...>
Subject: [Snort-devel] Snort 3.0 Alpha 4 has been released!
To: snort-users at lists.sourceforge.net,
        snort-devel at lists.sourceforge.net
Message-ID: <1ef0236c-89cb-ee13-3550-ff91d7509e7e at ...835...>
Content-Type: text/plain; charset="utf-8"

The fourth alpha release of Snort++ is now available on Snort.org <https://snort.org/downloads/#snort-3.0>. If you haven't tried Snort++ yet, now is a good time to do so as this pig sports a superset of Snort
2.9.8.3 functionality:

* Support for multiple packet processing threads
* Improved throughput and latency performance
* Improved detection
* Modular design
* Plugin framework with over 200 plugins
* More scalable memory profile
* A brand new HTTP inspector
* Service rules like alert http
* Rule "sticky" buffers
* LuaJIT configuration, loggers, and rule options
* Auto-detect common services for portless configuration
* Rewritten TCP handling
* New rule parser and syntax
* New performance monitor
* New time and space profiling
* New latency monitoring and enforcement
* Automake or Cmake - your choice
* Builtin help and generated reference documentation

The first beta release is expected around midyear at which point Talos will provide 3.0 rule downloads.  In the meantime, you can use the snort2lua utility packaged with Snort++ to convert 2.X rules and confs.

There are lots of enhancements and new features planned for Snort++, some of which are already in development.  As always, new downloads are posted to snort.org <http://snort.org/> monthly.  You can also get the latest updates from github (snortadmin/snort3) which is updated weekly.

Please submit bugs, questions, and feedback to bugs at ...835... or the Snort-Users <https://lists.sourceforge.net/lists/listinfo/snort-users>
mailing list.

Happy Snorting!
The Snort Release Team

-------------- next part --------------
An HTML attachment was scrubbed...

------------------------------

Message: 2
Date: Thu, 16 Mar 2017 09:34:35 +0000
From: Da Pozzo Matteo <m.dapozzo at ...3663...>
Subject: [Snort-devel] EDNS-Client-Subnet ECS
To: "snort-devel at lists.sourceforge.net"
        <snort-devel at lists.sourceforge.net>
Message-ID:
        <55560A9516213C45A36F74E8B964B2A972FD3F96 at ...3686...>
Content-Type: text/plain; charset="us-ascii"

Hi,

I would like if there is any plan for development regarding EDNS-Client-Subnet (like field extraction for Original-client-IP for HTTP) . I think that It could be useful for security purposes in existing deployments in order to use DNS query content like XFF for HTTP.

Please, let me know about your opinion.

Thanks in advance,

Best Regards.

Matteo


Matteo Da Pozzo

Communication Valley
Via Robert Koch, 1/4
20152 - Milano - ITALY
phone: +39 02 535761
mobile: +39 345 4954311
m.dapozzo at ...3663...<mailto:m.dapozzo at ...3663...>
www.reply.it

[Communication Valley]

________________________________

--
The information transmitted is intended for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer.
-------------- next part --------------
An HTML attachment was scrubbed...
-------------- next part --------------
A non-text attachment was scrubbed...
Name: com_valley.png
Type: image/png
Size: 3145 bytes
Desc: com_valley.png

------------------------------

Message: 3
Date: Fri, 17 Mar 2017 10:21:50 -0400
From: Russ <rucombs at ...3461...>
Subject: Re: [Snort-devel] EDNS-Client-Subnet ECS
To: snort-devel at lists.sourceforge.net
Message-ID: <cb99baf1-6a30-8a5e-d2d8-80fd665fc2da at ...3461...>
Content-Type: text/plain; charset="windows-1252"

Can you give an example of your use case(s)?  Are you looking just to log extra data with an event like XFF or are you looking for a way to match on the content?

On 3/16/17 5:34 AM, Da Pozzo Matteo wrote:
>
> Hi,
>
> I would like if there is any plan for development regarding
> EDNS-Client-Subnet (like field extraction for Original-client-IP for
> HTTP) . I think that It could be useful for security purposes in
> existing deployments in order to use DNS query content like XFF for HTTP.
>
> Please, let me know about your opinion.
>
> Thanks in advance,
>
>
> Best Regards.
>
> Matteo
>
>
>
> Matteo Da Pozzo
>
> Communication Valley
> Via Robert Koch, 1/4
> 20152 - Milano - ITALY
> phone: +39 02 535761
> mobile: +39 345 4954311
> m.dapozzo at ...3663... <mailto:m.dapozzo at ...3663...> www.reply.it
>
> Communication Valley
>
> ----------------------------------------------------------------------
> --
>
> --
> The information transmitted is intended for the person or entity to
> which it is addressed and may contain confidential and/or privileged
> material. Any review, retransmission, dissemination or other use of,
> or taking of any action in reliance upon, this information by persons
> or entities other than the intended recipient is prohibited. If you
> received this in error, please contact the sender and delete the
> material from any computer.
>
>
> ----------------------------------------------------------------------
> -------- Check out the vibrant tech community on one of the world's
> most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>
>
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
>
> Archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel
>
> Please visit http://blog.snort.org for the latest news about Snort!

-------------- next part --------------
An HTML attachment was scrubbed...
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/png
Size: 3145 bytes
Desc: not available

------------------------------

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot

------------------------------

_______________________________________________
Snort-devel mailing list
Snort-devel at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-devel


End of Snort-devel Digest, Vol 128, Issue 1
*******************************************



________________________________

--
The information transmitted is intended for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer.




More information about the Snort-devel mailing list