Snort mailing list archives
Re: First packet X-Forwarded-For information and sending to a Unix Socket (Snort 2.9.2.1)
From: "Russ Combs (rucombs)" <rucombs () cisco com>
Date: Thu, 18 Dec 2014 17:20:15 +0000
Thanks for sharing your solution. XFF and other extra data is supported only for unified2 output at present. Not sure where your patch might apply in the current version but we don't want to do the HTTP inspection twice. I've opened an internal bug to investigate further. ________________________________ From: Shane Boissevain [shaneboissevain () gmail com] Sent: Thursday, December 18, 2014 11:31 AM To: snort-devel () lists sourceforge net Subject: [Snort-devel] First packet X-Forwarded-For information and sending to a Unix Socket (Snort 2.9.2.1) Problem: When Snort 2.9.2.1 is configured to alert on the packet that contains the X-Forwarded-For information, as with the following rule, the X-Forwarded-For information is not available at the time of logging to the Unix Socket. Testing Rule: alert tcp any any -> any any (msg:"X-Forwarded-For Data Found"; content:"X-Forwarded-For"; classtype:misc-activity; sid:8000000; rev:1;) Methodology: I modified the output-plugins/spo_alert_unixsock.c file to append the X-Forwarded-For Extra Data (referred to as the true_ip in the Snort code) to the socket, and modified what was reading from the socket to grab the additional 4 bytes. I then sent a few packets through a proxy and tripped the alerts, and found that while the Unified 2 file and Barnyard2 received a copy of the extra-data, the socket I was interested in was not. I traced this down to the function SnortHttpInspect within preprocessors/snort_httpinspect.c. On line 3465, Detect(p) is called, BEFORE the HttpSessionData is defined, and had a chance to extract the X-Forwarded-For information. The alert is generated, and the socket written to; by now it is too late to append additional information. By defining the HttpSessionData early, the hi_mi_mode_inspection function can be called, which trails down into the call for the extract_http_xff method in preprocessors/HttpInspect/client/hi_client.c, which sets the true_ip for the session. The following change has eliminated my problem: File: /preprocessors/snort_httpinspect.c 3440a3441,3442
hsd = GetHttpSessionData(p);
3464a3467,3478
/*Ensure that HttpSessionData exists, so that the XFF data can be set.*/ if (hsd == NULL) hsd = SetNewHttpSessionData(p, (void *)Session); else { /* Gzip data should not be logged with all the packets of the session.*/ hsd->log_flags &= ~HTTP_LOG_GZIP_DATA; hsd->log_flags &= ~HTTP_LOG_JSNORM_DATA; } hi_mi_mode_inspection(Session, iInspectMode, p, hsd);
3469a3484
3474d3488 < hsd = GetHttpSessionData(p); 3507a3522
Standing questions: For my purposes, I required the http session data earlier for output to the Unix Socket. This seems to be the most logical way to accomplish that, but I wanted to check with the community to ensure that: 1) There was not a simpler way to do this. 2) A reason it was not done this way to begin with. Thank you, if you've gotten this far. Also, I apologize if this is not the correct media to present this, however I did want to publish this incase anyone else hits a similar issue or desire (even though this is a old version of snort).
------------------------------------------------------------------------------ Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server from Actuate! Instantly Supercharge Your Business Reports and Dashboards with Interactivity, Sharing, Native Excel Exports, App Integration & more Get technology previously reserved for billion-dollar corporations, FREE http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk
_______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- First packet X-Forwarded-For information and sending to a Unix Socket (Snort 2.9.2.1) Shane Boissevain (Dec 18)
- Re: First packet X-Forwarded-For information and sending to a Unix Socket (Snort 2.9.2.1) Russ Combs (rucombs) (Dec 18)