Snort mailing list archives
First packet X-Forwarded-For information and sending to a Unix Socket (Snort 2.9.2.1)
From: Shane Boissevain <shaneboissevain () gmail com>
Date: Thu, 18 Dec 2014 10:31:25 -0600
*Problem:* When Snort 2.9.2.1 is configured to alert on the packet that contains the X-Forwarded-For information, as with the following rule, the X-Forwarded-For information is not available at the time of logging to the Unix Socket. *Testing Rule:* alert tcp any any -> any any (msg:"X-Forwarded-For Data Found"; content:"X-Forwarded-For"; classtype:misc-activity; sid:8000000; rev:1;) *Methodology:* I modified the output-plugins/spo_alert_unixsock.c file to append the X-Forwarded-For Extra Data (referred to as the true_ip in the Snort code) to the socket, and modified what was reading from the socket to grab the additional 4 bytes. I then sent a few packets through a proxy and tripped the alerts, and found that while the Unified 2 file and Barnyard2 received a copy of the extra-data, the socket I was interested in was not. I traced this down to the function SnortHttpInspect within preprocessors/snort_httpinspect.c. On line 3465, Detect(p) is called, BEFORE the HttpSessionData is defined, and had a chance to extract the X-Forwarded-For information. The alert is generated, and the socket written to; by now it is too late to append additional information. By defining the HttpSessionData early, the hi_mi_mode_inspection function can be called, which trails down into the call for the extract_http_xff method in preprocessors/HttpInspect/client/hi_client.c, which sets the true_ip for the session. The following change has eliminated my problem: File: /preprocessors/snort_httpinspect.c 3440a3441,3442
hsd = GetHttpSessionData(p);
3464a3467,3478
/*Ensure that HttpSessionData exists, so that the XFF data can be
set.*/
if (hsd == NULL) hsd = SetNewHttpSessionData(p, (void *)Session); else { /* Gzip data should not be logged with all the packets of the
session.*/
hsd->log_flags &= ~HTTP_LOG_GZIP_DATA; hsd->log_flags &= ~HTTP_LOG_JSNORM_DATA; } hi_mi_mode_inspection(Session, iInspectMode, p, hsd);
3469a3484
3474d3488 < hsd = GetHttpSessionData(p); 3507a3522
*Standing questions:* For my purposes, I required the http session data earlier for output to the Unix Socket. This seems to be the most logical way to accomplish that, but I wanted to check with the community to ensure that: 1) There was not a simpler way to do this. 2) A reason it was not done this way to begin with. Thank you, if you've gotten this far. Also, I apologize if this is not the correct media to present this, however I did want to publish this incase anyone else hits a similar issue or desire (even though this is a old version of snort).
------------------------------------------------------------------------------ Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server from Actuate! Instantly Supercharge Your Business Reports and Dashboards with Interactivity, Sharing, Native Excel Exports, App Integration & more Get technology previously reserved for billion-dollar corporations, FREE http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk
_______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- First packet X-Forwarded-For information and sending to a Unix Socket (Snort 2.9.2.1) Shane Boissevain (Dec 18)
- Re: First packet X-Forwarded-For information and sending to a Unix Socket (Snort 2.9.2.1) Russ Combs (rucombs) (Dec 18)