Re: First packet X-Forwarded-For information and sending to a Unix Socket (Snort 2.9.2.1)

["Russ Combs (rucombs)" <rucombs () cisco com>]

Thanks for sharing your solution.  XFF and other extra data is supported only for unified2 output at present.  Not sure 
where your patch might apply in the current version but we don't want to do the HTTP inspection twice.  I've opened an 
internal bug to investigate further.

________________________________
From: Shane Boissevain [shaneboissevain () gmail com]
Sent: Thursday, December 18, 2014 11:31 AM
To: snort-devel () lists sourceforge net
Subject: [Snort-devel] First packet X-Forwarded-For information and sending to a Unix Socket (Snort 2.9.2.1)

Problem:
    When Snort 2.9.2.1 is configured to alert on the packet that contains the X-Forwarded-For information, as with the 
following rule, the X-Forwarded-For information is not available at the time of logging to the Unix Socket.

Testing Rule:
    alert tcp any any -> any any (msg:"X-Forwarded-For Data Found"; content:"X-Forwarded-For"; classtype:misc-activity; 
sid:8000000; rev:1;)

Methodology:
    I modified the output-plugins/spo_alert_unixsock.c file to append the X-Forwarded-For Extra Data (referred to as 
the true_ip in the Snort code) to the socket, and modified what was reading from the socket to grab the additional 4 
bytes. I then sent a few packets through a proxy and tripped the alerts, and found that while the Unified 2 file and 
Barnyard2 received a copy of the extra-data, the socket I was interested in was not. I traced this down to the function 
SnortHttpInspect within preprocessors/snort_httpinspect.c.
    On line 3465, Detect(p) is called, BEFORE the HttpSessionData is defined, and had a chance to extract the 
X-Forwarded-For information. The alert is generated, and the socket written to; by now it is too late to append 
additional information. By defining the HttpSessionData early, the hi_mi_mode_inspection function can be called, which 
trails down into the call for the extract_http_xff method in preprocessors/HttpInspect/client/hi_client.c, which sets 
the true_ip for the session. The following change has eliminated my problem:

File: /preprocessors/snort_httpinspect.c

3440a3441,3442
>     hsd = GetHttpSessionData(p);
3464a3467,3478
>         /*Ensure that HttpSessionData exists, so that the XFF data can be set.*/
>         if (hsd == NULL)
>             hsd = SetNewHttpSessionData(p, (void *)Session);
>         else
>         {
>             /* Gzip data should not be logged with all the packets of the session.*/
>             hsd->log_flags &= ~HTTP_LOG_GZIP_DATA;
>             hsd->log_flags &= ~HTTP_LOG_JSNORM_DATA;
>         }
>         hi_mi_mode_inspection(Session, iInspectMode, p, hsd);
3469a3484
>
3474d3488
<     hsd = GetHttpSessionData(p);
3507a3522
>

Standing questions:
    For my purposes, I required the http session data earlier for output to the Unix Socket. This seems to be the most 
logical way to accomplish that, but I wanted to check with the community to ensure that:
    1) There was not a simpler way to do this.
    2) A reason it was not done this way to begin with.

Thank you, if you've gotten this far. Also, I apologize if this is not the correct media to present this, however I did 
want to publish this incase anyone else hits a similar issue or desire (even though this is a old version of snort).

------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk

_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!