Snort mailing list archives
Re: Snort-devel Digest, Vol 98, Issue 7
From: "Hui Cao (huica)" <huica () cisco com>
Date: Tue, 30 Sep 2014 19:00:52 +0000
You can use snort preprocessor to work with firewall. I am not familiar with Web Application FIrewall like mod security, but I am sure this will involve lots of development. Best, Hui. From: Muhammad Ridwan Zalbina <zalbinaridwan () gmail com<mailto:zalbinaridwan () gmail com>> Date: Monday, September 29, 2014 at 5:03 AM To: "snort-devel () lists sourceforge net<mailto:snort-devel () lists sourceforge net>" <snort-devel () lists sourceforge net<mailto:snort-devel () lists sourceforge net>> Subject: Re: [Snort-devel] Snort-devel Digest, Vol 98, Issue 7 hello, i'm new here ... i wanna ask something about snort developer .. is there a way to modify preprocessor of snort to combine with Web Application FIrewall like modsecurity ... if so, can you tell me the way ... ? On Fri, Sep 26, 2014 at 8:17 PM, <snort-devel-request () lists sourceforge net<mailto:snort-devel-request () lists sourceforge net>> wrote: Send Snort-devel mailing list submissions to snort-devel () lists sourceforge net<mailto:snort-devel () lists sourceforge net> To subscribe or unsubscribe via the World Wide Web, visit https://lists.sourceforge.net/lists/listinfo/snort-devel or, via email, send a message with subject or body 'help' to snort-devel-request () lists sourceforge net<mailto:snort-devel-request () lists sourceforge net> You can reach the person managing the list at snort-devel-owner () lists sourceforge net<mailto:snort-devel-owner () lists sourceforge net> When replying, please edit your Subject line so it is more specific than "Re: Contents of Snort-devel digest..." Today's Topics: 1. Re: How to log an IP address in dpx.c ? (Emiliano Fausto) 2. DAQ output (Eugenio Perez) 3. Possible to configure snort for an alternative to /etc for default conf. files? (Rich Burridge) 4. Re: Possible to configure snort for an alternative to /etc for default conf. files? (Rich Burridge) ---------------------------------------------------------------------- Message: 1 Date: Tue, 16 Sep 2014 12:48:40 -0300 From: Emiliano Fausto <emiliano.fausto () gmail com<mailto:emiliano.fausto () gmail com>> Subject: Re: [Snort-devel] How to log an IP address in dpx.c ? To: "Zeeuw, L.V. de" <l.v.de.zeeuw () hr nl<mailto:l.v.de.zeeuw () hr nl>> Cc: "snort-devel () lists sourceforge net<mailto:snort-devel () lists sourceforge net>" <snort-devel () lists sourceforge net<mailto:snort-devel () lists sourceforge net>> Message-ID: <CAD2H3x8b=-NgD+fme_+nfAOEY7=cuSk-T1=k3gujpV2JdzF0kA () mail gmail com<mailto:k3gujpV2JdzF0kA () mail gmail com>> Content-Type: text/plain; charset="utf-8" That's great! Regards, Emi 2014-09-16 11:47 GMT-03:00 Zeeuw, L.V. de <l.v.de.zeeuw () hr nl<mailto:l.v.de.zeeuw () hr nl>>:
Hi Emiliano (and Steven), working on the code you provided previously, this code will do the job for me: * IP4Hdr iphd; sfip_t iphdt; iphd = p->inner_ip4h; iphdt = iphd.ip_src; unsigned char *ipV4address = (unsigned char*) &iphdt.ip; _dpd.logMsg("IPsource %u.%u.%u.%u\n",*ipV4address, *(ipV4address+1),*(ipV4address+2),*(ipV4address+3)); iphdt = iphd.ip_dst; _dpd.logMsg("IPdestination %u.%u.%u.%u\n",*ipV4address, *(ipV4address+1),*(ipV4address+2),*(ipV4address+3));* Using the test.pcap as input file. Output: .. *IPsource 10.9.8.7IPdestination 10.4.5.6..* Thank you both for your time. Regards, LucEmiliano Fausto <emiliano.fausto () gmail com<mailto:emiliano.fausto () gmail com>> 09/15/14 3:12 PM >>>Hello Luc, what if you try with something like this? _dpd.logMsg( "Test: IP: %u.%u.%u.%u PORT: %u\n", (src_ip_test>> 24) & 0xFF, (src_ip_test >> 16) & 0xFF, (src_ip_test >> 8) & 0xFF, (src_ip_test0) & 0xFF,src_port_test); Maybe there's a better way, but hope it helps. Regards, Emiliano. 2014-09-15 9:59 GMT-03:00 Zeeuw, L.V. de <l.v.de.zeeuw () hr nl<mailto:l.v.de.zeeuw () hr nl>>:Hi Emiliano, I still trying to log the IP4 source en IP4 destination addresses in dotted decimal format. I was too fast in my opinion that everything worked fine using the code you provided previously. I hope you will help me once again (or anyone else) to figure out what is wrong. When I am adding this code to the dpx.c (from the dpx-1.6.tar.gz) <https://webmail.hro.nl/gw/dpx-1.6.tar.gz%29> just before the last } *IP4Hdr iphd;sfip_t iphdt;* *iphdt = iphd.ip_src;unsigned char* ipsrcp_test = (unsigned char*) &iphdt.ip;unsigned int src_ip_test = (*ipsrcp_test << 24) + (*(ipsrcp_test+1) << 16) + \(*(ipsrcp_test+2) << 8) + *(ipsrcp_test+3); unsigned short int src_port_test = \p->src_port;iphdt = iphd.ip_dst;unsigned char* ipdstp_test = (unsigned char*) &iphdt.ip;unsigned int dst_ip_test = (*ipdstp_test << 24) + (*(ipdstp_test+1) << 16) + \(*(ipdstp_test+2) << 8) + *(ipdstp_test+3); unsigned short int dst_port_test = \p->dst_port; _dpd.logMsg("\tTest: ipsrc%u portsrc%u ipdst%u \portDst%u\n",src_ip_test,src_port_test, dst_ip_test,dst_port_test);* I can not find the correct IP address output (the port numbers are correct) when running ./test.sh (using test.pcap as input) *Test: ipsrc16777216 portsrc12345 ipdst0 portDst8Test: ipsrc16777216 portsrc8 ipdst0 portDst12345Test: ipsrc16777216 portsrc12345 ipdst0 portDst80Test: ipsrc16777216 portsrc12345 ipdst0 portDst8Test: ipsrc16777216 portsrc8 ipdst0 portDst12345Test: ipsrc16777216 portsrc12345 ipdst0 portDst80* The IPsrc should be 10.1.2.3 ... The IPdst should be 10.4.5.6 ... I can not figure out what is wrong. Any help is appreciated. Regards, LucZeeuw, L.V. de 07/25/14 9:19 AM >>>Hi Emiliano, thank you! I have tried this and indeed it works fine if I use IP4Hdr iphd; sfip_t iphdt; for the declaration. These code snippets are very useful! Regards, LucEmiliano Fausto <emiliano.fausto () gmail com<mailto:emiliano.fausto () gmail com>> 07/24/14 6:49 PM >>>Hello Luc, I've tried this testing and it works fine: iphdt = iphd.ip_src; unsigned char* ipsrcp_test = (unsigned char*) &iphdt.ip; unsigned int src_ip_test = (*ipsrcp_test << 24) + (*(ipsrcp_test+1) << 16) + (*(ipsrcp_test+2) << 8) + *(ipsrcp_test+3); unsigned short int src_port_test = p->src_port; iphdt = iphd.ip_dst; unsigned char* ipdstp_test = (unsigned char*) &iphdt.ip; unsigned int dst_ip_test = (*ipdstp_test << 24) + (*(ipdstp_test+1) << 16) + (*(ipdstp_test+2) << 8) + *(ipdstp_test+3); unsigned short int dst_port_test = p->dst_port; _dpd.logMsg("\tTest: ipsrc%u portsrc%u ipdst%u portDst%u\n",src_ip_test,src_port_test, dst_ip_test,dst_port_test); Hope it helps, Emiliano. 2014-07-24 10:35 GMT-03:00 Zeeuw, L.V. de <l.v.de.zeeuw () hr nl<mailto:l.v.de.zeeuw () hr nl>>:Hi, i am experimenting with the dpx. Its working. Now i started adding some statements to view the content ip4/tcp headers. I am able log things like src/dst, TCP payload size, etc. *SFSnortPacket* p = (SFSnortPacket*)pkt;* *_dpd.logMsg("Source port: %i, Destination port: %i\n",p->src_port, p->dst_port);_dpd.logMsg("Payload size %i\n",p->payload_size); * but from sf_snort_packet.h and sf_ip.h (??) i do not know how to log an ip-address ... I should like to ... *_dpd.logMsg("Source ip %?? \n", ?????);*BTW: Are there any recent books/tutorials for these kind of questions you would recommend? What about Snort development documentation for the most recent Snort version? Any help is appreciated. Regards, Luc the Netherlands ------------------------------------------------------------------------------ Want fast and easy access to all the code in your enterprise? Index and search up to 200,000 lines of code with a free copy of Black Duck Code Sight - the same software that powers the world's largest code search on Ohloh, the Black Duck Open Hub! Try it now. http://p.sf.net/sfu/bds _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net<mailto:Snort-devel () lists sourceforge net> https://lists.sourceforge.net/lists/listinfo/snort-devel Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel Please visit http://blog.snort.org for the latest news about Snort!
-------------- next part -------------- An HTML attachment was scrubbed... ------------------------------ Message: 2 Date: Wed, 24 Sep 2014 10:20:30 +0200 From: Eugenio Perez <eugenio () redborder org<mailto:eugenio () redborder org>> Subject: [Snort-devel] DAQ output To: snort-devel () lists sourceforge net<mailto:snort-devel () lists sourceforge net> Message-ID: <CACJcbv2b4wO8tVapdgNhmuUJ++QwhkhycCeAvzC6ag6TWvNdBg () mail gmail com<mailto:CACJcbv2b4wO8tVapdgNhmuUJ%2B%2BQwhkhycCeAvzC6ag6TWvNdBg () mail gmail com>> Content-Type: text/plain; charset=UTF-8 Hi everyone. Is there any way to do DAQ logging from daq_acquire() function? I have only seen two ways so far: - Raw fprintf, so I can't be homogeneous with snort logging - Break and return some kind of error (that I definitely don't want to, because I only want to report a log, not break) Thanks for all and regards. ------------------------------ Message: 3 Date: Thu, 25 Sep 2014 14:20:08 -0700 From: Rich Burridge <rich.burridge () oracle com<mailto:rich.burridge () oracle com>> Subject: [Snort-devel] Possible to configure snort for an alternative to /etc for default conf. files? To: snort-devel () lists sourceforge net<mailto:snort-devel () lists sourceforge net> Message-ID: <54248708.3030805 () oracle com<mailto:54248708.3030805 () oracle com>> Content-Type: text/plain; charset=utf-8; format=flowed Hi, Is it possible to build snort from source (a configure option that I'm overlooking perhaps), so that it looks for its various default configuration files (like snort.conf) under (say) /etc/snort instead of directly under /etc ? I did notice: --sysconfdir=DIR read-only single-machine data [PREFIX/etc] when I did "configure --help", but I'm not sure that's the solution. From a quick glance at the snort source code, looking directly under "/etc/" seems to be baked in. I do know about the "-c" runtime option to allow a different conf file, but I'm the guy that creates the snort package for Solaris. I've been asked to consider that the default install for snort config files should be /etc/snort/... rather that /etc, so as not to "pollute" /etc. I'm just trying to determine if it's (easily) possible to do. Thanks. ------------------------------ Message: 4 Date: Fri, 26 Sep 2014 06:16:50 -0700 From: Rich Burridge <rich.burridge () oracle com<mailto:rich.burridge () oracle com>> Subject: Re: [Snort-devel] Possible to configure snort for an alternative to /etc for default conf. files? To: snort-devel () lists sourceforge net<mailto:snort-devel () lists sourceforge net> Message-ID: <54256742.5010909 () oracle com<mailto:54256742.5010909 () oracle com>> Content-Type: text/plain; charset="utf-8" I did a bit more investigation on this. I ran: $ sudo /usr/bin/snort -T ERROR: Test mode must be run with a snort configuration file. Use the '-c' option on the command line to specify a configuration file. Fatal Error, Quitting.. That seems to disagree with what the snort.8 man page says: -T Snort will start up in self-test mode, checking all the supplied command line switches and rules files that are handed to it and indicating that everything is ready to proceed. This is a good switch to use if daemon mode is going to be used, it verifies that the Snort confi- guration that is about to be used is valid and won't fail at run time. Note, Snort looks for either /etc/snort.conf or ./snort.conf. If your config lives elsewhere, use the -c option to specify a valid config-file. I then truss'ed (Solaris equivalent of Linux strace), and sure enough, snort doesn't try to open /etc/snort.conf or ./snort.conf Trying: $ sudo /usr/bin/snort -T -c /etc/snort.conf Running in Test mode --== Initializing Snort ==-- Initializing Output Plugins! Initializing Preprocessors! Initializing Plug-ins! Parsing Rules file "/etc/snort.conf" ... works just fine. So is this just a case of the -T section in the snort.8 man page being wrong and you have to supply a configuration file at run time via the -c command line option? Thanks. -------- Forwarded Message -------- Subject: Possible to configure snort for an alternative to /etc for default conf. files? Date: Thu, 25 Sep 2014 14:20:08 -0700 From: Rich Burridge <rich.burridge () oracle com<mailto:rich.burridge () oracle com>> To: snort-devel () lists sourceforge net<mailto:snort-devel () lists sourceforge net> Hi, Is it possible to build snort from source (a configure option that I'm overlooking perhaps), so that it looks for its various default configuration files (like snort.conf) under (say) /etc/snort instead of directly under /etc ? I did notice: --sysconfdir=DIR read-only single-machine data [PREFIX/etc] when I did "configure --help", but I'm not sure that's the solution. From a quick glance at the snort source code, looking directly under "/etc/" seems to be baked in. I do know about the "-c" runtime option to allow a different conf file, but I'm the guy that creates the snort package for Solaris. I've been asked to consider that the default install for snort config files should be /etc/snort/... rather that /etc, so as not to "pollute" /etc. I'm just trying to determine if it's (easily) possible to do. Thanks. -------------- next part -------------- An HTML attachment was scrubbed... ------------------------------ ------------------------------------------------------------------------------ Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk ------------------------------ _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net<mailto:Snort-devel () lists sourceforge net> https://lists.sourceforge.net/lists/listinfo/snort-devel End of Snort-devel Digest, Vol 98, Issue 7 ******************************************
------------------------------------------------------------------------------ Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk
_______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Re: Snort-devel Digest, Vol 98, Issue 7 Muhammad Ridwan Zalbina (Sep 29)
- Re: Snort-devel Digest, Vol 98, Issue 7 Hui Cao (huica) (Sep 30)