Snort mailing list archives

Extending CSV output plug-in

From: "Kamran Shafi" <kamran.shafi () gmail com>
Date: Sun, 2 Mar 2008 12:21:54 +1100

Hi All,

I am new to Snort and this is my first mail to this list so please bear with
me.

First - I have been trying hard for last few days to get csv plug-in work
for me but it has not. I am on Fedora Core 7 and running Snort 2.8.1 the
latest version. I am running Snort with the following command:

snort -A console -i lo -c test.conf  (please see the output of running this
command at the bottom of this mail)

I have enabled only one rules file i.e. local.rules and have some test rules
in it.

the entry for my csv output plug-in in the test.conf file is

output alert_CSV: /var/log/alert.csv default

Afterwards I generate some attack traffic and get some alerts on the
console. (please see the output at the end of this mail).

The problem is that the alert.csv is never created!!!

I have tried using full mode, -h flag and few other tricks but nothing is
working

Please note that I have not installed barnyard and assume that it is not a
must for csv module to work.

My second question is the following:

If I am lucky enough to configure the csv module correctly with the help of
you gurus, then how can I extend this module to add more details about the
packet payload to the csv output ?

I have posted similar messages on Snort forum without any response. Any help
is appreciated.


SNORT OUTPUT:
##########################

Running in IDS mode

        --== Initializing Snort ==--
Initializing Output Plugins!
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file test.conf
PortVar 'HTTP_PORTS' defined :  [ 80]
PortVar 'SHELLCODE_PORTS' defined :  [ 0:79 81:65535]
PortVar 'ORACLE_PORTS' defined :  [ 1521]
Frag3 global config:
    Max frags: 65536
    Fragment memory cap: 4194304 bytes
Frag3 engine config:
    Target-based policy: FIRST
    Fragment timeout: 60 seconds
    Fragment min_ttl:   1
    Fragment ttl_limit: 5
    Fragment Problems: 1
Stream5 global config:
    Track TCP sessions: ACTIVE
    Max TCP sessions: 8192
    Memcap (for reassembly packet storage): 8388608
    Track UDP sessions: INACTIVE
    Track ICMP sessions: INACTIVE
Stream5 TCP Policy config:
    Reassembly Policy: FIRST
    Timeout: 30 seconds
    Min ttl:  1
    Options:
        Static Flushpoint Sizes: YES
    Reassembly Ports:
      21 client (Footprint)
      23 client (Footprint)
      25 client (Footprint)
      42 client (Footprint)
      53 client (Footprint)
      80 client (Footprint)
      110 client (Footprint)
      111 client (Footprint)
      135 client (Footprint)
      136 client (Footprint)
      137 client (Footprint)
      139 client (Footprint)
      143 client (Footprint)
      445 client (Footprint)
      513 client (Footprint)
      1433 client (Footprint)
      1521 client (Footprint)
      3306 client (Footprint)
HttpInspect Config:
    GLOBAL CONFIG
      Max Pipeline Requests:    0
      Inspection Type:          STATELESS
      Detect Proxy Usage:       NO
      IIS Unicode Map Filename: ./unicode.map
      IIS Unicode Map Codepage: 1252
    DEFAULT SERVER CONFIG:
      Server profile: All
      Ports: 80 8080 8180
      Flow Depth: 300
      Max Chunk Length: 500000
      Inspect Pipeline Requests: YES
      URI Discovery Strict Mode: NO
      Allow Proxy Usage: NO
      Disable Alerting: NO
      Oversize Dir Length: 500
      Only inspect URI: NO
      Ascii: YES alert: NO
      Double Decoding: YES alert: YES
      %U Encoding: YES alert: YES
      Bare Byte: YES alert: YES
      Base36: OFF
      UTF 8: OFF
      IIS Unicode: YES alert: YES
      Multiple Slash: YES alert: NO
      IIS Backslash: YES alert: NO
      Directory Traversal: YES alert: NO
      Web Root Traversal: YES alert: YES
      Apache WhiteSpace: YES alert: NO
      IIS Delimiter: YES alert: NO
      IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG
      Non-RFC Compliant Characters: NONE
      Whitespace Characters: 0x09 0x0b 0x0c 0x0d
rpc_decode arguments:
    Ports to decode RPC on: 111 32771
    alert_fragments: INACTIVE
    alert_large_fragments: ACTIVE
    alert_incomplete: ACTIVE
    alert_multiple_requests: ACTIVE
Portscan Detection Config:
    Detect Protocols:  TCP UDP ICMP IP
    Detect Scan Type:  portscan portsweep decoy_portscan
distributed_portscan
    Sensitivity Level: Low
    Memcap (in bytes): 10000000
    Number of Nodes:   36900

command line overrides rules file alert plugin!
command line overrides rules file alert plugin!
Tagged Packet Limit: 256
Loading dynamic engine /usr/lib/snort-
2.8.0.2_dynamicengine/libsf_engine.so... done
Loading all dynamic preprocessor libs from /usr/lib/snort-
2.8.0.2_dynamicpreprocessor/...
  Loading dynamic preprocessor library /usr/lib/snort-
2.8.0.2_dynamicpreprocessor//libsf_ftptelnet_preproc.so... done
  Loading dynamic preprocessor library /usr/lib/snort-
2.8.0.2_dynamicpreprocessor//libsf_dns_preproc.so... done
  Loading dynamic preprocessor library /usr/lib/snort-
2.8.0.2_dynamicpreprocessor//libsf_ssh_preproc.so... done
  Loading dynamic preprocessor library /usr/lib/snort-
2.8.0.2_dynamicpreprocessor//libsf_dcerpc_preproc.so... done
  Loading dynamic preprocessor library /usr/lib/snort-
2.8.0.2_dynamicpreprocessor//libsf_smtp_preproc.so... done
  Finished Loading all dynamic preprocessor libs from /usr/lib/snort-
2.8.0.2_dynamicpreprocessor/
FTPTelnet Config:
    GLOBAL CONFIG
      Inspection Type: stateful
      Check for Encrypted Traffic: YES alert: YES
      Continue to check encrypted data: NO
    TELNET CONFIG:
      Ports: 23
      Are You There Threshold: 200
      Normalize: YES
      Detect Anomalies: NO
    FTP CONFIG:
      FTP Server: default
        Ports: 21
        Check for Telnet Cmds: YES alert: YES
        Identify open data channels: YES
      FTP Client: default
        Check for Bounce Attacks: YES alert: YES
        Check for Telnet Cmds: YES alert: YES
        Max Response Length: 256

SMTP Config:
    Ports: 25 587 691
    Inspection Type: Stateful
    Normalize: EXPN RCPT VRFY
    Ignore Data: No
    Ignore TLS Data: No
    Ignore SMTP Alerts: No
    Max Command Line Length: Unlimited
    Max Specific Command Line Length:
       ETRN:500 EXPN:255 HELO:500 HELP:500 MAIL:260
       RCPT:300 VRFY:255
    Max Header Line Length: Unlimited
    Max Response Line Length: Unlimited
    X-Link2State Alert: Yes
    Drop on X-Link2State Alert: No
    Alert on commands: None

DCE/RPC Decoder config:
    Autodetect ports ENABLED
    SMB fragmentation ENABLED
    DCE/RPC fragmentation ENABLED
    Max Frag Size: 3000 bytes
    Memcap: 100000 KB
    Alert if memcap exceeded DISABLED

DNS config:
    DNS Client rdata txt Overflow Alert: ACTIVE
    Obsolete DNS RR Types Alert: INACTIVE
    Experimental DNS RR Types Alert: INACTIVE
    Ports: 53

+++++++++++++++++++++++++++++++++++++++++++++++++++
Initializing rule chains...
34 Snort rules read
    34 detection rules
    0 decoder rules
    0 preprocessor rules
34 Option Chains linked into 19 Chain Headers
0 Dynamic rules
+++++++++++++++++++++++++++++++++++++++++++++++++++

+-------------------[Rule Port
Counts]---------------------------------------
|             tcp     udp    icmp      ip
|     src       1       0       0       0
|     dst      14       1       0       0
|     any       9       2       8       2
|      nc      11       1       6       2
|     s+d       2       0       0       0
+----------------------------------------------------------------------------

+-----------------------[thresholding-config]----------------------------------
| memory-cap : 1048576 bytes
+-----------------------[thresholding-global]----------------------------------
| none
+-----------------------[thresholding-local]-----------------------------------
| gen-id=1      sig-id=2523       type=Both      tracking=dst count=10
seconds=10
+-----------------------[suppression]------------------------------------------
| none
-------------------------------------------------------------------------------
Rule application order: activation->dynamic->pass->drop->alert->log
Log directory = /var/log/snort
Verifying Preprocessor Configurations!
Warning: flowbits key 'backdoor.netbus_2.connect' is set but not ever
checked.
1 out of 512 flowbits in use.

Initializing Network Interface lo
Decoding Ethernet on interface lo

[ Port Based Pattern Matching Memory ]
+-[AC-BNFA Search Info Summary]------------------------------
| Instances        : 19
| Patterns         : 106
| Pattern Chars    : 856
| Num States       : 573
| Num Match States : 93
| Memory           :   33.07Kbytes
|   Patterns       :   2.89K
|   Match Lists    :   3.09K
|   Transitions    :   25.46K
+-------------------------------------------------

        --== Initialization Complete ==--

   ,,_     -*> Snort! <*-
  o"  )~   Version 2.8.0.2 (Build 75)
   ''''    By Martin Roesch & The Snort Team: http://www.snort.org/team.html
           (C) Copyright 1998-2007 Sourcefire Inc., et al.
           Using PCRE version: 7.0 18-Dec-2006

           Rules Engine: SF_SNORT_DETECTION_ENGINE  Version 1.7  <Build 1>
           Preprocessor Object: SF_SMTP  Version 1.0  <Build 7>
           Preprocessor Object: SF_DCERPC  Version 1.0  <Build 4>
           Preprocessor Object: SF_SSH  Version 1.0  <Build 1>
           Preprocessor Object: SF_DNS  Version 1.0  <Build 2>
           Preprocessor Object: SF_FTPTELNET  Version 1.0  <Build 10>
Not Using PCAP_FRAMES


ALERTS SHOWN BY SNORT
##########################

03/02-23:01:10.730046  [**] [1:249:10] DDOS mstream client to handler [**]
[Classification: Attempted Denial of Service] [Priority: 2] {TCP}
192.168.22.1:58684 -> 127.0.0.1:15104
03/02-23:01:10.764095  [**] [1:1257:12] DOS Winnuke attack [**]
[Classification: Attempted Denial of Service] [Priority: 2] {TCP}
192.168.22.1:40334 -> 127.0.0.1:135
03/02-23:01:10.765752  [**] [1:1257:12] DOS Winnuke attack [**]
[Classification: Attempted Denial of Service] [Priority: 2] {TCP}
192.168.22.1:40334 -> 127.0.0.1:135
03/02-23:01:10.776664  [**] [1:1980:4] BACKDOOR DeepThroat 3.+1 Connection
attempt [**] [Classification: Misc activity] [Priority: 3] {UDP}
192.168.22.1:14004 -> 127.0.0.1:2140
03/02-23:01:10.827647  [**] [1:485:5] ICMP Destination Unreachable
Communication Administratively Prohibited [**] [Classification: Misc
activity] [Priority: 3] {ICMP} 192.168.22.1 -> 127.0.0.1
03/02-23:01:10.829293  [**] [1:486:5] ICMP Destination Unreachable
Communication with Destination Host is Administratively Prohibited [**]
[Classification: Misc activity] [Priority: 3] {ICMP} 192.168.22.1 ->
127.0.0.1


-- 
Regards
Kam

-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Extending CSV output plug-in Kamran Shafi (Mar 01)
- Re: Extending CSV output plug-in Jason (Mar 01)
  - Message not available
    - Re: Extending CSV output plug-in Jason (Mar 02)
    - Re: Extending CSV output plug-in Kamran Shafi (Mar 02)
    - Re: Extending CSV output plug-in Jason (Mar 02)
    - Re: Extending CSV output plug-in Kamran Shafi (Mar 02)
    - Re: Extending CSV output plug-in Jason (Mar 02)