Snort mailing list archives
Re: Snort 3 - Figuring out RNA
From: "Masud Hasan \(mashasan\) via Snort-devel" <snort-devel () lists snort org>
Date: Thu, 30 Apr 2020 18:17:48 +0000
Hello YM, Thanks for your queries. Please note that RNA "inspector is still in experimental (work-in-progress) state" as mentioned in dev_notes. Currently, RNA only supports host discovery with filtering based on IP/port/zone. We will add description how to configure this. Answers to your questions: 1. The rna_conf_path can set the path to RNA configuration file having keywords: AnalyzeApplication # discover application Analyze # discover application, host, user AnalyzeHostUser # discover application, host, user (same as Analyze) AnalyzeHost # discover application, host AnalyzeUser # discover application, user portexclusion # don't discover on this port # Note: application and user discoveries are not implemented yet. Format: config keyword [!]ip [zone] portexclusion dst|src|both tcp|udp port ip Examples: config AnalyzeHost 0.0.0.0/0 -1 # discover any ipv4 on any zone config AnalyzeHost ::/0 2 # discover any ipv6 on zone 2 config AnalyzeHost !1.2.3.4/16 3 # exclude this ipv4 range on zone 3 config Analyze !cafe:feed::0/64 # exclude this ipv6 range on any zone portexclusion dst udp 53 8.0.0.0/8 # exclude this ipv4 range for UDP port 53 in destination direction portexclusion both tcp 4000 ::0/0 # exclude any ipv6 for TCP port 4000 in both direction # Note: exclusion has higher priority than inclusion. 2. Fingerprint and util_lib_path decoder are not implemented yet. 3. The enable_logger config is to enable/disable sending RNA discovery events to EventManager::call_loggers. Such event logger or reader is not implemented yet. However, since RNA stores host information into host_cache, to log the discovered hosts into a file, one can i) issue socket command: host_cache.dump('file.out'), or ii) add lua config: host_cache = { dump_file = 'file.out'}. 4) The enable_banner_grab is another placeholder not implemented yet. 5) To use RNA host discovery feature, please try configuring using steps mentioned above. Thanks, Masud Hasan From: Snort-devel <snort-devel-bounces () lists snort org> on behalf of Y M via Snort-devel <snort-devel () lists snort org> Reply-To: Y M <snort () outlook com> Date: Wednesday, April 29, 2020 at 1:43 PM To: "snort-devel () lists snort org" <snort-devel () lists snort org> Subject: [Snort-devel] Snort 3 - Figuring out RNA Hello, I am trying to figure out how to configure RNA to add it to the Snort 3 guide on CentOS. There does not appear to be an rna.text documentation except for the dev notes, which does not provide configuration information. So I have a couple of questions. 1. What is the expected format of the RNA configuration file specified by the rna_conf_path? 2. What is the expected fields and format of the fingerprints? Do these not matter since they will be processed by the fingerprint decoder under util_lib_path? 3. Using the defaults from rna_config.h while setting the enable_logger = true in snort.lua, there are no generated logs. I am guessing that fingerprint decoder and fingerprints must exist? 4. In rna_config.h, there is a default option to grab banners enable_banner_grab, which appears to be set to false. However, the documentation does not state any to configure it otherwise. 5. I experimented with the following configuration, using nmap-os-db fingerprints: rna = { rna_util_lib_path = '/usr/local/snort/rna/decoder/nmap', fingerprint_dir = '/usr/local/snort/rna/fingerprints', custom_fingerprint_dir = '/usr/local/snort/rna/fingerprints', enable_logger = true } The "rna" directory contains the "fingerprint_db.json". I did not receive any errors, but I also did not observe any logs. Looking at Snort exit stats indicates that RNA is performing as expected? -------------------------------------------------- rna icmp_new: 213 udp_bidirectional: 548401 udp_new: 406044 tcp_syn: 860955 tcp_syn_ack: 488610 tcp_midstream: 2033 other_packets: 1014 -------------------------------------------------- Is there an example on how to configure and use RNA? Thank you. YM
_______________________________________________ Snort-devel mailing list Snort-devel () lists snort org https://lists.snort.org/mailman/listinfo/snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Snort 3 - Figuring out RNA Y M via Snort-devel (Apr 29)
- <Possible follow-ups>
- Re: Snort 3 - Figuring out RNA Masud Hasan (mashasan) via Snort-devel (Apr 30)
- Re: Snort 3 - Figuring out RNA Y M via Snort-devel (Apr 30)
- Re: Snort 3 - Figuring out RNA Masud Hasan (mashasan) via Snort-devel (Apr 30)