Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Snort-devel Digest, Vol 98, Issue 7

From: Muhammad Ridwan Zalbina <zalbinaridwan () gmail com>
Date: Mon, 29 Sep 2014 16:03:59 +0700
hello, i'm new here ...
i wanna ask something about snort developer ..
is there a way to modify preprocessor of snort to combine with Web
Application FIrewall like modsecurity ...
if so, can you tell me the way ... ?

On Fri, Sep 26, 2014 at 8:17 PM, <snort-devel-request () lists sourceforge net>
wrote:


Send Snort-devel mailing list submissions to
        snort-devel () lists sourceforge net

To subscribe or unsubscribe via the World Wide Web, visit
        https://lists.sourceforge.net/lists/listinfo/snort-devel
or, via email, send a message with subject or body 'help' to
        snort-devel-request () lists sourceforge net

You can reach the person managing the list at
        snort-devel-owner () lists sourceforge net

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Snort-devel digest..."


Today's Topics:

   1. Re: How to log an IP address in dpx.c ? (Emiliano Fausto)
   2. DAQ output (Eugenio Perez)
   3. Possible to configure snort for an alternative to /etc for
      default conf. files? (Rich Burridge)
   4. Re: Possible to configure snort for an alternative to /etc
      for default conf. files? (Rich Burridge)


----------------------------------------------------------------------

Message: 1
Date: Tue, 16 Sep 2014 12:48:40 -0300
From: Emiliano Fausto <emiliano.fausto () gmail com>
Subject: Re: [Snort-devel] How to log an IP address in dpx.c ?
To: "Zeeuw, L.V. de" <l.v.de.zeeuw () hr nl>
Cc: "snort-devel () lists sourceforge net"
        <snort-devel () lists sourceforge net>
Message-ID:
        <CAD2H3x8b=-NgD+fme_+nfAOEY7=cuSk-T1=
k3gujpV2JdzF0kA () mail gmail com>
Content-Type: text/plain; charset="utf-8"

That's great!

Regards,
Emi

2014-09-16 11:47 GMT-03:00 Zeeuw, L.V. de <l.v.de.zeeuw () hr nl>:


Hi Emiliano (and Steven),

working on the code you provided previously, this code will do the job

for

me:













* IP4Hdr iphd;    sfip_t iphdt;     iphd = p->inner_ip4h;    iphdt =
iphd.ip_src;    unsigned char *ipV4address = (unsigned char*) &iphdt.ip;
_dpd.logMsg("IPsource %u.%u.%u.%u\n",*ipV4address,
*(ipV4address+1),*(ipV4address+2),*(ipV4address+3));    iphdt =
iphd.ip_dst;    _dpd.logMsg("IPdestination %u.%u.%u.%u\n",*ipV4address,
*(ipV4address+1),*(ipV4address+2),*(ipV4address+3));*

Using the test.pcap as input file.

Output:
..



*IPsource 10.9.8.7IPdestination 10.4.5.6..*
Thank you both for your time.

Regards,

Luc



Emiliano Fausto <emiliano.fausto () gmail com> 09/15/14 3:12 PM >>>


Hello Luc,

what if you try with something like this?

_dpd.logMsg( "Test: IP: %u.%u.%u.%u PORT: %u\n", (src_ip_test>> 24) &
0xFF, (src_ip_test >> 16) & 0xFF, (src_ip_test >> 8) & 0xFF, (src_ip_test

0) & 0xFF,

src_port_test);

Maybe there's a better way, but hope it helps.

Regards,
Emiliano.

2014-09-15 9:59 GMT-03:00 Zeeuw, L.V. de <l.v.de.zeeuw () hr nl>:


Hi Emiliano,

I still trying to log the IP4 source en IP4 destination addresses in
dotted decimal format.

I was too fast in my opinion that everything worked fine using the code
you provided previously. I hope you will help me once again (or anyone
else) to figure out what is wrong.

When I am adding this code to the dpx.c (from the dpx-1.6.tar.gz)
<https://webmail.hro.nl/gw/dpx-1.6.tar.gz%29> just before the last }




*IP4Hdr iphd;sfip_t iphdt;*











*iphdt = iphd.ip_src;unsigned char* ipsrcp_test = (unsigned char*)

&iphdt.ip;unsigned int src_ip_test = (*ipsrcp_test << 24) +
(*(ipsrcp_test+1) << 16) + \(*(ipsrcp_test+2) << 8) + *(ipsrcp_test+3);
unsigned short int src_port_test = \p->src_port;iphdt =
iphd.ip_dst;unsigned char* ipdstp_test = (unsigned char*)
&iphdt.ip;unsigned int dst_ip_test = (*ipdstp_test << 24) +
(*(ipdstp_test+1) << 16) + \(*(ipdstp_test+2) << 8) + *(ipdstp_test+3);
unsigned short int dst_port_test = \p->dst_port; _dpd.logMsg("\tTest:
ipsrc%u portsrc%u ipdst%u \portDst%u\n",src_ip_test,src_port_test,
dst_ip_test,dst_port_test);*



I can not find the correct IP address output (the port numbers are
correct) when running ./test.sh (using test.pcap as input)






*Test: ipsrc16777216 portsrc12345 ipdst0         portDst8Test:
ipsrc16777216 portsrc8 ipdst0     portDst12345Test: ipsrc16777216
portsrc12345 ipdst0         portDst80Test: ipsrc16777216 portsrc12345
ipdst0         portDst8Test: ipsrc16777216 portsrc8 ipdst0
portDst12345Test: ipsrc16777216 portsrc12345 ipdst0         portDst80*

The IPsrc should be 10.1.2.3 ...
The IPdst should be 10.4.5.6 ...

I can not figure out what is wrong. Any help is appreciated.

Regards,

Luc







Zeeuw, L.V. de 07/25/14 9:19 AM >>>

Hi Emiliano,

thank you! I have tried this and indeed it works fine if I use

   IP4Hdr iphd;
   sfip_t iphdt;

for the declaration.

These code snippets are very useful!

Regards,

Luc




Emiliano Fausto <emiliano.fausto () gmail com> 07/24/14 6:49 PM >>>

Hello Luc,

I've tried this testing and it works fine:


iphdt = iphd.ip_src;
unsigned char* ipsrcp_test = (unsigned char*) &iphdt.ip;
unsigned int src_ip_test = (*ipsrcp_test << 24) + (*(ipsrcp_test+1) <<

16) + (*(ipsrcp_test+2) << 8) + *(ipsrcp_test+3);

unsigned short int src_port_test = p->src_port;

iphdt = iphd.ip_dst;
unsigned char* ipdstp_test = (unsigned char*) &iphdt.ip;
unsigned int dst_ip_test = (*ipdstp_test << 24) + (*(ipdstp_test+1) <<

16) + (*(ipdstp_test+2) << 8) + *(ipdstp_test+3);

unsigned short int dst_port_test = p->dst_port;
_dpd.logMsg("\tTest: ipsrc%u portsrc%u ipdst%u

portDst%u\n",src_ip_test,src_port_test, dst_ip_test,dst_port_test);



Hope it helps,
Emiliano.


2014-07-24 10:35 GMT-03:00 Zeeuw, L.V. de <l.v.de.zeeuw () hr nl>:


Hi,

i am experimenting with the dpx. Its working. Now i started adding some
statements to view the content ip4/tcp headers. I am able log things

like

src/dst, TCP payload size, etc.


*SFSnortPacket* p = (SFSnortPacket*)pkt;*

*_dpd.logMsg("Source port: %i, Destination port: %i\n",p->src_port,
p->dst_port);_dpd.logMsg("Payload size %i\n",p->payload_size); *
but from sf_snort_packet.h and sf_ip.h  (??) i do not know how to log

an

ip-address ...

I should like to ...



*_dpd.logMsg("Source ip %?? \n", ?????);*BTW: Are there any recent
books/tutorials for these kind of questions you would recommend? What

about

Snort development documentation for the most recent Snort version?

Any help is appreciated.

Regards,

Luc

the Netherlands









------------------------------------------------------------------------------

Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck
Code Sight - the same software that powers the world's largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
http://p.sf.net/sfu/bds
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!







-------------- next part --------------
An HTML attachment was scrubbed...

------------------------------

Message: 2
Date: Wed, 24 Sep 2014 10:20:30 +0200
From: Eugenio Perez <eugenio () redborder org>
Subject: [Snort-devel] DAQ output
To: snort-devel () lists sourceforge net
Message-ID:
        <
CACJcbv2b4wO8tVapdgNhmuUJ++QwhkhycCeAvzC6ag6TWvNdBg () mail gmail com>
Content-Type: text/plain; charset=UTF-8

Hi everyone.

Is there any way to do DAQ logging from daq_acquire() function? I have
only seen two ways so far:
- Raw fprintf, so I can't be homogeneous with snort logging
- Break and return some kind of error (that I definitely don't want
to, because I only want to report a log, not break)

Thanks for all and regards.



------------------------------

Message: 3
Date: Thu, 25 Sep 2014 14:20:08 -0700
From: Rich Burridge <rich.burridge () oracle com>
Subject: [Snort-devel] Possible to configure snort for an alternative
        to /etc for default conf. files?
To: snort-devel () lists sourceforge net
Message-ID: <54248708.3030805 () oracle com>
Content-Type: text/plain; charset=utf-8; format=flowed

Hi,

Is it possible to build snort from source (a configure option that I'm
overlooking
perhaps), so that it looks for its various default configuration files
(like
snort.conf) under (say) /etc/snort instead of directly under /etc ?

I did notice:

--sysconfdir=DIR        read-only single-machine data [PREFIX/etc]

when I did "configure --help", but I'm not sure that's the solution.
 From a quick
glance at the snort source code, looking directly under "/etc/" seems to
be baked in.

I do know about the "-c" runtime option to allow a different conf file,
but I'm the guy
that creates the snort package for Solaris. I've been asked to consider
that the default
install for snort config files should be /etc/snort/... rather that
/etc, so as not to
"pollute" /etc.

I'm just trying to determine if it's (easily) possible to do.

Thanks.





------------------------------

Message: 4
Date: Fri, 26 Sep 2014 06:16:50 -0700
From: Rich Burridge <rich.burridge () oracle com>
Subject: Re: [Snort-devel] Possible to configure snort for an
        alternative to /etc for default conf. files?
To: snort-devel () lists sourceforge net
Message-ID: <54256742.5010909 () oracle com>
Content-Type: text/plain; charset="utf-8"

I did a bit more investigation on this. I ran:

$ sudo /usr/bin/snort -T
ERROR: Test mode must be run with a snort configuration file.  Use the
'-c' option on the command line to specify a configuration file.
Fatal Error, Quitting..

That seems to disagree with what the snort.8 man page says:

      -T   Snort will start up in self-test mode, checking all the
           supplied command line switches and rules files that are
           handed to it and indicating that everything is ready to
           proceed.   This  is a good switch to use if daemon mode
           is going to be used, it verifies that the Snort  confi-
           guration  that  is  about to be used is valid and won't
           fail  at  run  time.  Note,  Snort  looks  for   either
           /etc/snort.conf  or ./snort.conf.  If your config lives
           elsewhere,  use  the  -c  option  to  specify  a  valid
           config-file.

I then truss'ed (Solaris equivalent of Linux strace), and sure enough,
snort doesn't try to open /etc/snort.conf or ./snort.conf

Trying:

$ sudo /usr/bin/snort -T -c /etc/snort.conf
Running in Test mode

         --== Initializing Snort ==--
Initializing Output Plugins!
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file "/etc/snort.conf"
...

works just fine.

So is this just a case of the -T section in the snort.8 man page being
wrong and you have to supply a configuration file at run time via the
-c command line option?

Thanks.



-------- Forwarded Message --------
Subject:        Possible to configure snort for an alternative to /etc for
default conf. files?
Date:   Thu, 25 Sep 2014 14:20:08 -0700
From:   Rich Burridge <rich.burridge () oracle com>
To:     snort-devel () lists sourceforge net



Hi,

Is it possible to build snort from source (a configure option
that I'm overlooking perhaps), so that it looks for its various
default configuration files (like snort.conf) under (say)
/etc/snort instead of directly under /etc ?

I did notice:

--sysconfdir=DIR        read-only single-machine data [PREFIX/etc]

when I did "configure --help", but I'm not sure that's the solution.
 From a quick glance at the snort source code, looking directly under
"/etc/" seems to be baked in.

I do know about the "-c" runtime option to allow a different conf
file, but I'm the guy that creates the snort package for Solaris.
I've been asked to consider that the default install for snort
config files should be /etc/snort/... rather that /etc, so as not
to "pollute" /etc.

I'm just trying to determine if it's (easily) possible to do.

Thanks.




-------------- next part --------------
An HTML attachment was scrubbed...

------------------------------


------------------------------------------------------------------------------
Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports
Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper
Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer

http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk

------------------------------

_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel


End of Snort-devel Digest, Vol 98, Issue 7
******************************************


------------------------------------------------------------------------------
Slashdot TV.  Videos for Nerds.  Stuff that Matters.
http://pubads.g.doubleclick.net/gampad/clk?id=160591471&iu=/4140/ostg.clktrk
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: