Snort mailing list archives
Re: Snort-devel Digest, Vol 128, Issue 1
From: Da Pozzo Matteo <m.dapozzo () reply it>
Date: Fri, 17 Mar 2017 15:16:21 +0000
Hi Russ, Thank you for your feedback. An example could be when the sensor is placed inline but intercepts the DNS request originated by a client that is infected but the DNS query is intercepted from the internal DNS server to Internet DNS Server/root name servers so in this case we can see that the malicious DNS request was originated by the internal DNS Server and then we are not able to identify the real infected client. However we can try to adjust the DNS flows in order to intercept the Client to Internal DNS query but I think that parsing and logging to ECS options could be a useful feature (basically is the same logic of XFF for HTTP). Regarding your question the answer is yes, I am just looking to log extra data with an event, If we look to Firepower it could be useful to track the real client IP of the DNS Query in DNS security intelligence events and also in BLACKLIST-DNS events ). (if you want you can check this to obtain some traffic with this option: https://tools.keycdn.com/dig ) The RFC draft (7871) states that this option is for client subnet but in this case we need to intercept the client IP, as you can see from the DIG output the implementation, the CLIENT-SUBNET also supports the CIDR notation with host mask: ; <<>> DiG 9.10.1 <<>> +additional google.com @8.8.4.4 +subnet=192.168.10.10 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18692 ;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 512 ; CLIENT-SUBNET: 192.168.10.10/32/0 ;; QUESTION SECTION: ;google.com. IN A ;; ANSWER SECTION: google.com. 299 IN A 209.85.147.101 google.com. 299 IN A 209.85.147.100 google.com. 299 IN A 209.85.147.139 google.com. 299 IN A 209.85.147.102 google.com. 299 IN A 209.85.147.113 google.com. 299 IN A 209.85.147.138 ;; Query time: 24 msec ;; SERVER: 8.8.4.4#53(8.8.4.4) ;; WHEN: Fri Mar 17 15:07:52 UTC 2017 ;; MSG SIZE rcvd: 147 I hope I was clear enough. Please, let me know your opinion. Thanks in advance, Best Regards. Matteo Matteo Da Pozzo Communication Valley Via Robert Koch, 1/4 20152 - Milano - ITALY phone: +39 02 535761 mobile: +39 345 4954311 m.dapozzo () reply it www.reply.it -----Original Message----- From: snort-devel-request () lists sourceforge net [mailto:snort-devel-request () lists sourceforge net] Sent: venerdì 17 marzo 2017 15:22 To: snort-devel () lists sourceforge net Subject: Snort-devel Digest, Vol 128, Issue 1 Send Snort-devel mailing list submissions to snort-devel () lists sourceforge net To subscribe or unsubscribe via the World Wide Web, visit https://lists.sourceforge.net/lists/listinfo/snort-devel or, via email, send a message with subject or body 'help' to snort-devel-request () lists sourceforge net You can reach the person managing the list at snort-devel-owner () lists sourceforge net When replying, please edit your Subject line so it is more specific than "Re: Contents of Snort-devel digest..." Today's Topics: 1. Snort 3.0 Alpha 4 has been released! (Snort Releases) 2. EDNS-Client-Subnet ECS (Da Pozzo Matteo) 3. Re: EDNS-Client-Subnet ECS (Russ) ---------------------------------------------------------------------- Message: 1 Date: Thu, 2 Mar 2017 12:24:00 -0500 From: Snort Releases <snortreleases () snort org> Subject: [Snort-devel] Snort 3.0 Alpha 4 has been released! To: snort-users () lists sourceforge net, snort-devel () lists sourceforge net Message-ID: <1ef0236c-89cb-ee13-3550-ff91d7509e7e () snort org> Content-Type: text/plain; charset="utf-8" The fourth alpha release of Snort++ is now available on Snort.org <https://snort.org/downloads/#snort-3.0>. If you haven't tried Snort++ yet, now is a good time to do so as this pig sports a superset of Snort 2.9.8.3 functionality: * Support for multiple packet processing threads * Improved throughput and latency performance * Improved detection * Modular design * Plugin framework with over 200 plugins * More scalable memory profile * A brand new HTTP inspector * Service rules like alert http * Rule "sticky" buffers * LuaJIT configuration, loggers, and rule options * Auto-detect common services for portless configuration * Rewritten TCP handling * New rule parser and syntax * New performance monitor * New time and space profiling * New latency monitoring and enforcement * Automake or Cmake - your choice * Builtin help and generated reference documentation The first beta release is expected around midyear at which point Talos will provide 3.0 rule downloads. In the meantime, you can use the snort2lua utility packaged with Snort++ to convert 2.X rules and confs. There are lots of enhancements and new features planned for Snort++, some of which are already in development. As always, new downloads are posted to snort.org <http://snort.org/> monthly. You can also get the latest updates from github (snortadmin/snort3) which is updated weekly. Please submit bugs, questions, and feedback to bugs () snort org or the Snort-Users <https://lists.sourceforge.net/lists/listinfo/snort-users> mailing list. Happy Snorting! The Snort Release Team -------------- next part -------------- An HTML attachment was scrubbed... ------------------------------ Message: 2 Date: Thu, 16 Mar 2017 09:34:35 +0000 From: Da Pozzo Matteo <m.dapozzo () reply it> Subject: [Snort-devel] EDNS-Client-Subnet ECS To: "snort-devel () lists sourceforge net" <snort-devel () lists sourceforge net> Message-ID: <55560A9516213C45A36F74E8B964B2A972FD3F96 () CED01MBXS01 replynet prv> Content-Type: text/plain; charset="us-ascii" Hi, I would like if there is any plan for development regarding EDNS-Client-Subnet (like field extraction for Original-client-IP for HTTP) . I think that It could be useful for security purposes in existing deployments in order to use DNS query content like XFF for HTTP. Please, let me know about your opinion. Thanks in advance, Best Regards. Matteo Matteo Da Pozzo Communication Valley Via Robert Koch, 1/4 20152 - Milano - ITALY phone: +39 02 535761 mobile: +39 345 4954311 m.dapozzo () reply it<mailto:m.dapozzo () reply it> www.reply.it [Communication Valley] ________________________________ -- The information transmitted is intended for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer. -------------- next part -------------- An HTML attachment was scrubbed... -------------- next part -------------- A non-text attachment was scrubbed... Name: com_valley.png Type: image/png Size: 3145 bytes Desc: com_valley.png ------------------------------ Message: 3 Date: Fri, 17 Mar 2017 10:21:50 -0400 From: Russ <rucombs () cisco com> Subject: Re: [Snort-devel] EDNS-Client-Subnet ECS To: snort-devel () lists sourceforge net Message-ID: <cb99baf1-6a30-8a5e-d2d8-80fd665fc2da () cisco com> Content-Type: text/plain; charset="windows-1252" Can you give an example of your use case(s)? Are you looking just to log extra data with an event like XFF or are you looking for a way to match on the content? On 3/16/17 5:34 AM, Da Pozzo Matteo wrote:
Hi, I would like if there is any plan for development regarding EDNS-Client-Subnet (like field extraction for Original-client-IP for HTTP) . I think that It could be useful for security purposes in existing deployments in order to use DNS query content like XFF for HTTP. Please, let me know about your opinion. Thanks in advance, Best Regards. Matteo Matteo Da Pozzo Communication Valley Via Robert Koch, 1/4 20152 - Milano - ITALY phone: +39 02 535761 mobile: +39 345 4954311 m.dapozzo () reply it <mailto:m.dapozzo () reply it> www.reply.it Communication Valley ---------------------------------------------------------------------- -- -- The information transmitted is intended for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer. ---------------------------------------------------------------------- -------- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel Please visit http://blog.snort.org for the latest news about Snort!
-------------- next part -------------- An HTML attachment was scrubbed... -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: image/png Size: 3145 bytes Desc: not available ------------------------------ ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ------------------------------ _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel End of Snort-devel Digest, Vol 128, Issue 1 ******************************************* ________________________________ -- The information transmitted is intended for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer. ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Re: Snort-devel Digest, Vol 128, Issue 1 Da Pozzo Matteo (Mar 17)
- Re: Snort-devel Digest, Vol 128, Issue 1 Russ (Mar 17)