Snort mailing list archives
Re: Custom dynamic preprocessor - How to display alert message passed to alertAdd func?
From: "Seshaiah Erugu (serugu)" <serugu () cisco com>
Date: Thu, 22 Sep 2016 08:59:38 +0000
Hi Jan, To generate alert as you expect with dynamic user data you have to add this rule to preprocessor.rules file. Please refer the following example. Example # The following is the reference code to implement the preprocessor alert. Please refer the complete code. 1 ) Add your rule to preprocessor.rules file. Ex # alert ( msg: "SMTP_RESPONSE_OVERFLOW"; sid: 3; gid: 124; rev: 1; metadata: rule-type preproc, service smtp, policy security-ips drop ; classtype:attempted-user; reference:cve,2002-1090; ) 2 ) Write a wrapper function and call _dpd.addAlert from this function. Ex # ./dynamic-preprocessors/smtp/smtp_log.c void SMTP_GenerateAlert(int event, char *format, ...) { ------------ ------------ --------------- smtp_event[event][0] = '\0'; vsnprintf(&smtp_event[event][0], EVENT_STR_LEN - 1, format, ap); smtp_event[event][EVENT_STR_LEN - 1] = '\0'; _dpd.alertAdd(GENERATOR_SMTP, event, 1, 0, 3, &smtp_event[event][0], 0); ---------- ---------- ----------- } 3 ) Where ever you want to generate alert , please call your GenerateAlert function with proper data. Ex # SMTP_GenerateAlert(SMTP_RESPONSE_OVERFLOW, "%s: %d chars", SMTP_RESPONSE_OVERFLOW_STR, resp_line_len); In your case you should call Generatealert function inside "IF" if (parsed.src_user_name == "bad_intruder") { gid=100000; sid=9000000; revision=1; classification=0; priority=3; rule_info=0; msg=src_user_name + " attacks " + dest_address; XXXX_GenerateAlert (sid, msg, len); } Please check the following functions for adding #define ./dynamic-preprocessors/smtp/smtp_log.h #define SMTP_RESPONSE_OVERFLOW 3 #define SMTP_RESPONSE_OVERFLOW_STR "(smtp) Attempted response buffer overflow" ./generators.h #define GENERATOR_SMTP 124 #define SMTP_RESPONSE_OVERFLOW 3 Refer SMTP_RESPONSE_OVERFLOW alert code you will get complete understanding. Let me know you need any more info. Thanks, Seshaiah Erugu. -----Original Message----- From: Jan Hermes [mailto:jan.hermes () hotmail de] Sent: Wednesday, September 21, 2016 7:27 PM To: snort-devel () lists sourceforge net Subject: [Snort-devel] Custom dynamic preprocessor - How to display alert message passed to alertAdd func? Hello, I built a dynamic preprocessor and would like it to create several specific alert messages. Let me give you a short example with some fictional assumptions: - the preproc parses specific protocols that are not native for snort - let's say the protocol is: [src_address, dest_address, src_user_name] - the preprocessor parses all this information from the packet - if the src_user_name equals "bad_intruder", I want an alert to be generated (of course the easified concatenation and comparison of strings is only for better reading): ------------------------------------------------------ if (parsed.src_user_name == "bad_intruder") { gid=100000; sid=9000000; revision=1; classification=0; priority=3; rule_info=0; msg=src_user_name + " attacks " + dest_address; _dpd.alertAdd(gid, sid, revision, classification, priority, msg, rule_info); } ------------------------------------------------------- - the local.rules file has this entry: alert (sid: 9000000; gid: 100000; msg: "alarm"; rev: 1 ) - the output I get from the alert detection is: 09/21-13:30:18.178080 [**] [100000:9000000:1] alarm [**] - But I would like it to display the way I passed it within the preprocessor's code, e.g.: 09/21-13:30:18.178080 [**] [100000:9000000:1] bad_intruder attacks 172.223.9.151 [**] How can I achieve this? I already tried to omit the message in the local.rules which leaves me without any message at all.. Thanks, Jan ------------------------------------------------------------------------------ _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel Please visit http://blog.snort.org for the latest news about Snort! ------------------------------------------------------------------------------ _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Custom dynamic preprocessor - How to display alert message passed to alertAdd func? Jan Hermes (Sep 21)
- Re: Custom dynamic preprocessor - How to display alert message passed to alertAdd func? Seshaiah Erugu (serugu) (Sep 22)