Snort mailing list archives
Re: [snort-devel] Chainning pre-processors
From: Emiliano Fausto <emiliano.fausto () gmail com>
Date: Thu, 5 Dec 2013 11:26:28 -0200
Hello Hui, you are totally right. I was confused, I didn't have to assemble fragmented IP packets. So, I configured the Stream5 preprocessor in order it to take into account the port of my application (it's 9090). I let my AddPreproc() with priority set to PRIORITY_APPLICATION so that it's registered after the Stream5. Then, I tried to get any packet with (p->flags & FLAG_REBUILT_STREAM), but none of them matched, it seems that the Stream5 preprocessor isn't reassembling my TCP segments. The SNORT configuration file is set like this: preprocessor stream5_global: track_tcp yes, \ track_udp yes, \ track_icmp no, \ max_tcp 262144, \ max_udp 131072, \ max_active_responses 2, \ min_response_seconds 5 preprocessor stream5_tcp: policy windows, detect_anomalies, require_3whs 180, \ overlap_limit 10, small_segments 3 bytes 150, timeout 180, \ ports client 21 22, \ ports both 9090 preprocessor stream5_udp: timeout 180 My app works on port 9090. Maybe, the problem is not related to stream5, maybe the problem is originated because the one in charge of doing the segments reassembly is my preprocessor, at the application level, and not the stream5 preprocessor at the TCP level. More on this, into wireshark I can see all the packets of the protocol TCP segmented, and if I go to preferences-->protocols-->TCP it has an option that says: "allow dissectors to reassemble TCP". It means that the reassemble isn't being done at the TCP layer, but into the proper application. Do you know if SNORT has something of this? Or the Stream5 should reassemble the payloads of the TCP packets? Thanks a lot in advance, Emiliano. 2013/12/4 Hui Cao <hcao () sourcefire com>
Frag3 will deal with IP fragmentation. You might want reassembled data from TCP. This means your preprocessor should be after stream and you should check (SFSnortPacket*)ipacketp)->flags & FLAG_REBUILT_STREAM. Snort will only reassemble up to the flush point defined (typically 16K). You can't expect snort will give all the data from one reassembled packet. Fragmentation from wireshark might mean TCP segmentation. You might get full IP packets. Best, Hui. On 12/04/2013 03:17 PM, Emiliano Fausto wrote: Hui, yes, I understood what you told me about filtering just the de-fragmented packets, that's why I added these 3 lines: SFSnortPacket *p = (SFSnortPacket *)pkt; int fla = (p->flags & FLAG_REBUILT_FRAG); _dpd.logMsg("Flags set? %d",fla); But I generate fragmented packets (which for instance Wireshark detects and show as fragmented and the possibility of reassembly them) and I'm always getting with each one the output: "Flags set? 0". I receive all the fragmented packets, but not the last one reassembled. Regards, Emiliano. 2013/12/4 Hui Cao <hcao () sourcefire com>It will still get all packets including the raw packets. You need to use packet flags to filter them. Best, Hui. On Wed, Dec 4, 2013 at 3:00 PM, Emiliano Fausto <emiliano.fausto () gmail com> wrote:Yes, that's what I thought, but for some reason the TCP packets keep oncomingfragmented to my preprocessor. No I took off all the preprocessors and just let the frag3 and mines,I'lltry to figure out if they are called in the correct order, but they arenotbeing chained. Thanks, Emiliano. 2013/12/4 Hui Cao <hcao () sourcefire com>It looks good to me. Best, Hui. On Wed, Dec 4, 2013 at 2:44 PM, Emiliano Fausto <emiliano.fausto () gmail com> wrote:Hi Hui, I've seen that I was using PRIORITY_TRANSPORT, which is lower thanthePRIORITY_NETWORK that uses frag3. Anyway, I put the priority: PRIORITY_LAST to my own preprocessor, but when the TCP packets keep arriving fragmented to my preprocessor. Is there anything else I should take into account? Thanks in advance, Emiliano. 2013/12/4 Hui Cao <hcao () sourcefire com>In sr/preprocids.h Best, Hui. On 12/04/2013 02:36 PM, Emiliano Fausto wrote: Great, so, the pre-processors are "chained" by default, and the order that SNORT follows to call them is set by the PRIORITY variable. Do you know where's defined this PRIORITY variable? Because I sawthatthe frag3 is being registered with PRIORITY_NETWORK, so I'd like to setthepriority of my own preprocessor as (PRIORITY_NETWORK -1). Thanks in advance, Emiliano 2013/12/4 Hui Cao <hcao () sourcefire com>sc means snort configuration. We use PRIORITY to sort theprocessing.All processors enabled will be called and processed based on priority.Youhave to rely on the code to figure out what exactly snort does. The checking is correct. You will only process rebuilt packets. Best, Hui. On 12/04/2013 02:19 PM, Emiliano Fausto wrote: Hello Hui, thanks a lot for your answer. Right now I have registered my preprocessor (let's call it examplePreprocess as you said, because right now I'm using the one provided with the DPX) with this line: _dpd.addPreproc(ExampleProcess, PRIORITY_TRANSPORT, 10000, PROTO_BIT__TCP); So, the only change is to add previous to the parameter ExampleProcess, the "sc". What does it mean? Do you know if there's anydocumentationabout this chaining preprocesses? So, checking the flags, should be: (SFSnortPacket*)tcppacket)->flags & FLAG_REBUILT_FRAG right? Thanks again! Emiliano. Then, I'll have to register my own preprocessor where? 2013/12/4 Hui Cao <hcao () sourcefire com>Yes, it is possible. You can register you preprocessor like this: _dpd.addPreproc( sc, ExampleProcess, PRIORITY_TRANSPORT,You_PP_ID,PROTO_BIT__IP ); Remember check the following flag in your ExampleProcess: (SFSnortPacket*)ipacketp)->flags & FLAG_REBUILT_FRAG Best, Hui. On 12/04/2013 12:52 PM, Emiliano Fausto wrote: Hi everybody, I'm creating a new preprocessor which needs to have the wholecontentin a packet which was fragmented. So I thought of using the frag3 preprocessor to re-assembly the packets, and then, when this reassembly is done, sent it to my own preprocessor. Do you know if this is possible? May I have the output of frag3beingthe input of my own preprocessor? Regards, Emiliano.------------------------------------------------------------------------------Sponsored by Intel(R) XDK Develop, test and display web and hybrid apps with a single code base. Download it for free now!http://pubads.g.doubleclick.net/gampad/clk?id=111408631&iu=/4140/ostg.clktrk_______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Archive:http://sourceforge.net/mailarchive/forum.php?forum_name=snort-develPlease visit http://blog.snort.org for the latest news aboutSnort!------------------------------------------------------------------------------Sponsored by Intel(R) XDK Develop, test and display web and hybrid apps with a single code base. Download it for free now!http://pubads.g.doubleclick.net/gampad/clk?id=111408631&iu=/4140/ostg.clktrk_______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Archive:http://sourceforge.net/mailarchive/forum.php?forum_name=snort-develPlease visit http://blog.snort.org for the latest news aboutSnort!
------------------------------------------------------------------------------ Sponsored by Intel(R) XDK Develop, test and display web and hybrid apps with a single code base. Download it for free now! http://pubads.g.doubleclick.net/gampad/clk?id=111408631&iu=/4140/ostg.clktrk
_______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Re: [snort-devel] Chainning pre-processors, (continued)
- Re: [snort-devel] Chainning pre-processors Emiliano Fausto (Dec 04)
- Re: [snort-devel] Chainning pre-processors Hui Cao (Dec 04)
- Re: [snort-devel] Chainning pre-processors Emiliano Fausto (Dec 04)
- Re: [snort-devel] Chainning pre-processors Hui Cao (Dec 04)
- Re: [snort-devel] Chainning pre-processors Emiliano Fausto (Dec 04)
- Re: [snort-devel] Chainning pre-processors Hui Cao (Dec 04)
- Re: [snort-devel] Chainning pre-processors Emiliano Fausto (Dec 04)
- Re: [snort-devel] Chainning pre-processors Hui Cao (Dec 04)
- Re: [snort-devel] Chainning pre-processors Emiliano Fausto (Dec 04)
- Re: [snort-devel] Chainning pre-processors Hui Cao (Dec 04)
- Re: [snort-devel] Chainning pre-processors Emiliano Fausto (Dec 05)
- Re: [snort-devel] Chainning pre-processors Hui Cao (Dec 05)
- Re: [snort-devel] Chainning pre-processors Emiliano Fausto (Dec 05)
- Re: [snort-devel] Chainning pre-processors Hui Cao (Dec 05)
- Message not available
- Message not available
- Message not available
- Re: [snort-devel] Chainning pre-processors Emiliano Fausto (Dec 05)
- Re: [snort-devel] Chainning pre-processors Emiliano Fausto (Dec 04)