Snort mailing list archives
Re: Option for one-line "raw" packet dump (ascii and hex) in alert_fast output module
From: Roberto Moreda <moreda () allenta com>
Date: Thu, 28 Jul 2016 13:35:13 +0200
Hi, Ed. Just to update on the subject, the new url to get the patch ready for 2.9.8.x is https://github.com/moreda/snort/compare/2.9.8.0...2.9.8.0-packetraw.diff <https://github.com/moreda/snort/compare/2.9.8.0...2.9.8.0-packetraw.diff> I think that this extends in a neat way (backwards compatible, non intrusive code) the alert_fast plugin, so we can have a nicely formatted payload in the alert message. Any idea if this could make it to the codebase now? Thanks a lot! Roberto --- Roberto Moreda Allenta Consulting <http://www.allenta.com/> (+34 881922600) ISO 9001, ISO 14001, ISO 27001, EMAS <http://www.allenta.com/achievements> Privacidad / Privacy <https://www.allenta.com/privacidad-del-correo-electronico>
On 08 Oct 2015, at 21:43, Roberto Moreda <moreda () allenta com> wrote: Hi, Ed. It’s my pleasure to be able to help. Incorporation to the codebase would be more than welcome (saving me and others patching time when new versions of Snort arrive). I’d be happy to adapt, explain or do whatever for that to happen :-) Best, RobertoOn 08 Oct 2015, at 20:20, Ed Borgoyn (eborgoyn) <eborgoyn () cisco com <mailto:eborgoyn () cisco com>> wrote: Hello Roberto, Thank you for the Snort imporvement recommendation and patch. I cannot say for certain that it will be incorporated into the snort codebase. But we will add your request and patch to the snort feature request log. Best Regards, Ed Borgoyn Cisco Snort Development Team From: Roberto Moreda <moreda () allenta com <mailto:moreda () allenta com>> Date: Wednesday, October 7, 2015 at 7:29 PM To: "snort-devel () lists sourceforge net <mailto:snort-devel () lists sourceforge net>" <snort-devel () lists sourceforge net <mailto:snort-devel () lists sourceforge net>> Subject: [Snort-devel] Option for one-line "raw" packet dump (ascii and hex) in alert_fast output module Hi, all. I hope I’m not bringing up an old or closed subject. I made some searches and I couldn’t find anything clear about my problem :-) For some time I have been using Snort as a source of “security events” for several log consolidation or SIEM systems. Most of those systems assume one-line alerts as input, with the minimal info (i.e. name/id of the signature, severity, category, source and destination). The problem is that analysts usually would like to have the payload of the package to assess false positives at once. In order to not interfere with the usual “field recognition patterns” of such systems, I opted to extend the alert_fast output module this way: … output alert_fast: [<filename> ["packet"|"packetraw"] [<limit>]] * packetraw: this option will cause brief single-line entries to be logged with the content of the packet in raw format (ascii and hexadecimal dumps) appended. … This is absolutely backwards compatible, not affecting current Snort configurations. The result with the “packetraw” option in the alert_fast output module configuration, should be one line per alert as: 10/08/15-01:03:16.909442 [**] [3:21355:4] <eth1> PROTOCOL-DNS potential dns ca che poisoning attempt - mismatched txid [**] [Classification: Attempted Informat ion Leak] [Priority: 2] {UDP} XX.XX.XX.XX:53 -> YY.YY.YY.YY:12563 ...z[…] 0001D77A[…] Note that the ...z[…] 0001D77A[…] is shortened on purpose, but the idea is basically what’s shown. Once again, this should be backwards compatible with sane parsers in most of log consolidation or SIEM systems *and* appends the ascii and hexadecimal dump of the raw packet to each event, offering a great way to assess false positives and make accurate general searches. I wrote a patch against 2.9.7.6 to enable this behaviour, that you can see here <https://github.com/moreda/snort/compare/2.9.7.6...2.9.7.6-packetraw> in a fancy format or download here <https://github.com/moreda/snort/compare/2.9.7.6...2.9.7.6-packetraw.diff> ready to apply. I know that the general idea is to avoid extra logic in the output modules, letting other processes to cope with unified2 to convert data to whatever format… but I’m pretty sure that this tiny addition could lower complexity in many deployments allowing to have payload info in a very simple way. Please, feel free to criticise, correct or comment about my proposal. Thank you very much! Roberto------------------------------------------------------------------------------ _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel Please visit http://blog.snort.org for the latest news about Snort!
------------------------------------------------------------------------------
_______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Re: Option for one-line "raw" packet dump (ascii and hex) in alert_fast output module Roberto Moreda (Jul 28)