Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Obfuscation of binary logs

From: Phil Wood <cpw () lanl gov>
Date: Fri, 15 Nov 2002 14:02:07 -0700
I think the dude wanted to take a pcap snort.log file:

1. That looked like this:

% tcpdump -n -r /tmp/snort.log
13:34:17.041858 IP 192.168.114.97.34528 > 192.168.114.88.1234: udp 8 (DF)

2. And obfuscate it with some program:

% bag -r /tmp/snort.log -w /tmp/10.10.pcap -Cchcksum,192.168:10.10

3. So that it looks like this:

% tcpdump -n -r /tmp/10.10.pcap

13:34:17.041858 IP 10.10.114.97.34528 > 10.10.114.88.1234: udp 8 (DF)

$. And he could then apply a generic rules set with a HOME_NET of 10.10
   to the output of step 2 like so (assuming he had a little gen-alert
   program that takes pcap on stdin and writes it on stdout):

% bag -r /tmp/snort.log -w - -Cchcksum,192.168:10.10 | gen-alert - > /tmp/alert
% cat /tmp/alert
  11/15-13:34:17.041858  [**] [1:40000:1] udp to port 1234 with sansman [**] [Classification: Your test succeeded] 
[Priority: 4] {UDP} 10.10.114.97:34528 -> 10.10.114.88:1234

(Oh, and by the way, all the checksums in the various headers are correct).

But, that's not possible, or, is it?  %^)

On Fri, Nov 15, 2002 at 12:32:49PM -0800, Alberto Gonzalez wrote:

You just have to run the binary log back through snort.

Taken from http://www.snort.org/docs/writing_rules/chap1.html#tth_sEc1.5:

/usr/local/bin/snort -d -v -r snort.log -O -h 192.168.1.0/24

Urgh, Erek isn't it too early for drinking!?!?

   - Albert

Grime, Richard S wrote:


Hi,

I note from the man page that -O and -h can be used to obfuscate the 
home IP address in ASCII packet dump mode - how (can?) this 
functionality be used for binary logs?

Thanks,

Richard




-- 
The secret to success is to start from scratch and keep on scratching.




-------------------------------------------------------
This sf.net email is sponsored by: To learn the basics of securing 
your web site with SSL, click here to get a FREE TRIAL of a Thawte 
Server Certificate: http://www.gothawte.com/rd524.html
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


-- 
Phil Wood, cpw () lanl gov



-------------------------------------------------------
This sf.net email is sponsored by: To learn the basics of securing 
your web site with SSL, click here to get a FREE TRIAL of a Thawte 
Server Certificate: http://www.gothawte.com/rd524.html
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: