Snort mailing list archives

Re: Snort 3 - Figuring out RNA

From: Y M via Snort-devel <snort-devel () lists snort org>
Date: Thu, 30 Apr 2020 18:34:37 +0000

Thank you so much Masud! Very exciting features. Will experiment with the notes you provided.

YM
________________________________
From: Masud Hasan (mashasan) <mashasan () cisco com>
Sent: Thursday, April 30, 2020 9:17 PM
To: Y M <snort () outlook com>; snort-devel () lists snort org <snort-devel () lists snort org>
Subject: Re: [Snort-devel] Snort 3 - Figuring out RNA

Hello YM,

Thanks for your queries. Please note that RNA "inspector is still in experimental (work-in-progress) state" as 
mentioned in dev_notes. Currently, RNA only supports host discovery with filtering based on IP/port/zone. We will add 
description how to configure this.

Answers to your questions:

1.  The rna_conf_path can set the path to RNA configuration file having keywords:

AnalyzeApplication # discover application

Analyze            # discover application, host, user

AnalyzeHostUser    # discover application, host, user (same as Analyze)

AnalyzeHost        # discover application, host

AnalyzeUser        # discover application, user

portexclusion      # don't discover on this port

# Note: application and user discoveries are not implemented yet.

Format:

config keyword [!]ip [zone]

portexclusion dst|src|both tcp|udp port ip

Examples:

config AnalyzeHost 0.0.0.0/0 -1     # discover any ipv4 on any zone

config AnalyzeHost ::/0 2           # discover any ipv6 on zone 2

config AnalyzeHost !1.2.3.4/16 3    # exclude this ipv4 range on zone 3

config Analyze !cafe:feed::0/64     # exclude this ipv6 range on any zone

portexclusion dst udp 53 8.0.0.0/8  # exclude this ipv4 range for UDP port 53 in destination direction

portexclusion both tcp 4000 ::0/0   # exclude any ipv6 for TCP port 4000 in both direction

# Note: exclusion has higher priority than inclusion.

2. Fingerprint and util_lib_path decoder are not implemented yet.

3. The enable_logger config is to enable/disable sending RNA discovery events to EventManager::call_loggers. Such event 
logger

or reader is not implemented yet. However, since RNA stores host information into host_cache, to log the discovered 
hosts into a file, one can

    i) issue socket command: host_cache.dump('file.out'), or

    ii) add lua config: host_cache = { dump_file = 'file.out'}.

4) The enable_banner_grab is another placeholder not implemented yet.

5) To use RNA host discovery feature, please try configuring using steps mentioned above.

Thanks,

Masud Hasan

From: Snort-devel <snort-devel-bounces () lists snort org> on behalf of Y M via Snort-devel <snort-devel () lists snort 
org>
Reply-To: Y M <snort () outlook com>
Date: Wednesday, April 29, 2020 at 1:43 PM
To: "snort-devel () lists snort org" <snort-devel () lists snort org>
Subject: [Snort-devel] Snort 3 - Figuring out RNA

Hello,

I am trying to figure out how to configure RNA to add it to the Snort 3 guide on CentOS. There does not appear to be an 
rna.text documentation except for the dev notes, which does not provide configuration information. So I have a couple 
of questions.

  1.  What is the expected format of the RNA configuration file specified by the rna_conf_path?
  2.  What is the expected fields and format of the fingerprints? Do these not matter since they will be processed by 
the fingerprint decoder under util_lib_path?
  3.  Using the defaults from rna_config.h while setting the enable_logger = true in snort.lua, there are no generated 
logs. I am guessing that fingerprint decoder and fingerprints must exist?
  4.  In rna_config.h, there is a default option to grab banners enable_banner_grab, which appears to be set to false. 
However, the documentation does not state any to configure it otherwise.
  5.  I experimented with the following configuration, using nmap-os-db fingerprints:

           rna =

     {

         rna_util_lib_path = '/usr/local/snort/rna/decoder/nmap',

         fingerprint_dir = '/usr/local/snort/rna/fingerprints',

         custom_fingerprint_dir = '/usr/local/snort/rna/fingerprints',

         enable_logger = true

     }

          The "rna" directory contains the "fingerprint_db.json". I did not receive any errors, but I also did not 
observe any logs. Looking at Snort exit stats indicates that RNA is performing as expected?

         --------------------------------------------------

    rna

           icmp_new: 213

           udp_bidirectional: 548401

           udp_new: 406044

           tcp_syn: 860955

           tcp_syn_ack: 488610

           tcp_midstream: 2033

           other_packets: 1014

    --------------------------------------------------

Is there an example on how to configure and use RNA?

Thank you.

YM

_______________________________________________
Snort-devel mailing list
Snort-devel () lists snort org
https://lists.snort.org/mailman/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!

Current thread:

Snort 3 - Figuring out RNA Y M via Snort-devel (Apr 29)
- <Possible follow-ups>
- Re: Snort 3 - Figuring out RNA Masud Hasan (mashasan) via Snort-devel (Apr 30)
  - Re: Snort 3 - Figuring out RNA Y M via Snort-devel (Apr 30)
- Re: Snort 3 - Figuring out RNA Masud Hasan (mashasan) via Snort-devel (Apr 30)