Snort mailing list archives
Re: Smb output
From: Frank Knobbe <frank () knobbe us>
Date: Wed, 21 Jul 2004 17:40:30 -0500
On Wed, 2004-07-21 at 17:13, Michael Sconzo wrote:
As I said, looks like the output plugin could be optimized where the admin supplies not only the IP address but also the NetBIOS name ofthesystem to be contacted. All Snort would need to do is populate a UDP packet and throw it on the wire (without calling smbclient).Ok, if you re-wrote smbclient (or at least the part that does the WinPopUp stuff),
No, no. I'm saying don't use smbclient at all. Have Snort populate a UDP packet and send it out.
But then you need to get the NetBIOS name out of something etc
As I said, have that specified in snort.conf. Then again, is it really needed? Look at the Windows spam pop-ups from the Internet. They only use an IP addresses, no NetBIOS name. Matter the fact, such a spam packet (perhaps one that is logged by Snort itself), could be used as a blue print for an improved SMB alert packet.
... and calling the external programs via a script or something
Again, no external programs involved. Snort will, just like with the TCP reset packets, assemble and send its own packet. No call to external programs.
Then that gets into duplicating work etc ... but if you or somebody else does it, I wouldn't complain either, and would probably use it.
Heh... I don't even have much time at the moment to work on Snortsam. :( And since I don't use the SMB alert, there is no incentive for me either. Speaking of Snortsam, I'm doing something very similar there. The OPSEC plugin calls the OPSEC library routines. However, I also have my own routine that populates an OPSEC like packet and sends it out. Matter the fact, this fwsam plugin was there first, derived from packet captures and an afternoon reverse engineering the OPSEC packet format. It is much faster than the official OPSEC library. Anyhow... my point is that the alert itself is just a single UDP packet. Snort can send one itself without having to do all sorts of stuff like resolving NetBIOS names and calling executables like smbclient. Another advantage of not depending on smbclient is that it would work on any platform, even Windows. Cheers, Frank
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- Smb output Maetzky, Steffen (Extern) (Jul 20)
- Re: Smb output sekure (Jul 20)
- Re: Smb output Nerijus Krukauskas (Jul 20)
- Re: Smb output Michael Sconzo (Jul 21)
- Re: Smb output Frank Knobbe (Jul 21)
- Re: Smb output Michael Sconzo (Jul 21)
- Re: Smb output Frank Knobbe (Jul 21)
- Re: Smb output Michael Sconzo (Jul 21)
- Re: Smb output Frank Knobbe (Jul 21)
- Re: Smb output Nerijus Krukauskas (Jul 21)
- Re: Smb output Nerijus Krukauskas (Jul 20)
- Re: Smb output sekure (Jul 20)
- <Possible follow-ups>
- RE: Smb output Joshua Berry (Jul 22)
- RE: Smb output Frank Knobbe (Jul 22)