[Snort-devel] Extending unified2 output with custom information from dynamic preprocessor

Russ rucombs at cisco.com
Mon Sep 4 09:29:14 EDT 2017



On 9/2/17 3:46 AM, Jan Hermes wrote:
> Hello,
>
> I developed a dynamic preprocessor that extracts custom important
> information out of network packages that are not included in the
> unified2 output.
>
> Under the following assumptions:
>
> - There is a fully working dynamic preprocessor SNIFF that works on a
> new network protocol
> - I wrote a rule that makes SNIFF trigger a Snort alert with a custom
> message if a specified source name was matched.
> - The message is in the form of ** (...) sourcename -> destname
> etc...** it gets created in the SNIFF preprocessor and added to the
> alert message.
> - Normal console Alerts or alert.log are showing this additional
> information
> - The unified2 output with it's specified information with different
> variables is not showing any of this additional alert message
> information
>
> Is there a way to add new information to the unified2 output? If yes,
> can you point me towards a specific direction?
Good job.  The new information sounds like what Snort calls u2 "extra 
data".  Extra data handling is a bit involved so before you get too far 
make sure you have something that can consume the extra data.  Barnyard2 
and Snorby do not handle u2 extra data.

If you still want to go for it, have a look at these files:

./src/sfutil/Unified2_common.h

-- look for UNIFIED2_EXTRA_DATA, SerialUnified2ExtraData, and related

./src/output-plugins/spo_unified2.c

-- look for _WriteExtraData, etc.

./src/preprocessors/Stream6/snort_stream_tcp.c

-- read the "extra, extra" comments

./src/preprocessors/stream_api.h

-- look for the *xtra* methods

./src/dynamic-preprocessors/smtp/smtp_util.c
./src/preprocessors/snort_httpinspect.c

-- calls to set_extra_data, clear_extra_data

./tools/u2spewfoo/u2spewfoo.c

-- extradata_dump

Hope that helps.
Russ

>
> Thanks and Greetings
> Jan
>
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.snort.org
> https://lists.snort.org/mailman/listinfo/snort-devel
>
> Please visit http://blog.snort.org for the latest news about Snort!




More information about the Snort-devel mailing list