[Snort-users] Smb output

Frank Knobbe frank at ...9761...
Wed Jul 21 15:41:01 EDT 2004


On Wed, 2004-07-21 at 17:13, Michael Sconzo wrote:
> > As I said, looks like the output plugin could be optimized where the
> > admin supplies not only the IP address but also the NetBIOS name of
> the
> > system to be contacted. All Snort would need to do is populate a UDP
> > packet and throw it on the wire (without calling smbclient).
> 
> Ok, if you re-wrote smbclient (or at least the part that does the
> WinPopUp stuff),

No, no. I'm saying don't use smbclient at all. Have Snort populate a UDP
packet and send it out. 

> But
> then you need to get the NetBIOS name out of something etc

As I said, have that specified in snort.conf. Then again, is it really
needed? Look at the Windows spam pop-ups from the Internet. They only
use an IP addresses, no NetBIOS name.

Matter the fact, such a spam packet (perhaps one that is logged by Snort
itself), could be used as a blue print for an improved SMB alert packet.

>  ... and
> calling the external programs via a script or something 

Again, no external programs involved. Snort will, just like with the TCP
reset packets, assemble and send its own packet. No call to external
programs.

> Then that gets into duplicating work etc ... but if you or somebody
> else does it, I wouldn't complain either, and would probably use it.

Heh... I don't even have much time at the moment to work on Snortsam. :(
And since I don't use the SMB alert, there is no incentive for me
either. Speaking of Snortsam, I'm doing something very similar there.
The OPSEC plugin calls the OPSEC library routines. However, I also have
my own routine that populates an OPSEC like packet and sends it out.
Matter the fact, this fwsam plugin was there first, derived from packet
captures and an afternoon reverse engineering the OPSEC packet format.
It is much faster than the official OPSEC library.

Anyhow... my point is that the alert itself is just a single UDP packet.
Snort can send one itself without having to do all sorts of stuff like
resolving NetBIOS names and calling executables like smbclient. Another
advantage of not depending on smbclient is that it would work on any
platform, even Windows.

Cheers,
Frank

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 187 bytes
Desc: This is a digitally signed message part
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20040721/5e736d0b/attachment.sig>


More information about the Snort-users mailing list