Re: Snort++ dynamic inspector questions

[Russ <rucombs () cisco com>]

On 8/15/16 2:57 PM, Henry Foster wrote:
> Hi all,
>
> I'm working on writing a dynamic Snort++ inspector to reassemble MPTCP 
> streams.  I've been doing my best to RTFS, but was hoping someone 
> could help me with a couple questions. I feel like the answers are 
> probably pretty obvious, but I've been having trouble figuring them out.
>
> 1. Is it possible to craft and submit a pseudopacket for detection 
> from a dynamic plug-in?
> I took a look at the TCP stream source and it looks like 
> Snort::detect_rebuilt_packet would be a good thing to use, but I'm not 
> sure how to go about calling it from a dynamic plug-in. I don't 
> suppose there's an API for submitting rebuilt packets?  Currently, for 
> testing, I'm overwriting the data pointer of the actual packet (p) 
> that gets passed to the plug-in, but doing this makes me feel dirty 
> inside.
Are you reassembling actual wire packets or just payload?  Do you want 
inspection (eg of HTTP by http_inspect) or just detection?  You can call 
snort_detect() for the latter case.  Note that Packet is a "unit of 
work" and have actual wire packet data or just be a reassembled or 
normalized buffer of some sort.
> 2. What's the best way to get all the TCP packets to my plugin?
> I started with the DPX example and have been building on top of it. 
> Currently, I'm using IT_NETWORK and PktType::TCP, however, I've 
> noticed that my plugin's eval() is not getting called with ACKs / 
> non-payload segments from the tcp receiver -> tcp initiator. I'd like 
> to receive all the packets as there's some MPTCP control information 
> that's included in the options field of those ACK packets: I want to 
> keep track of a nonce that is sent when additional subflows are 
> joining a MPTCP connection (in the SYN/ACK of the handshake), and 
> mptcp data sequence mappings that are sent sometimes sent in ACKs.
Use IT_PACKET to get all raw packets.
> Disclaimer: Right now, I'm just trying to prototype this out. The 
> actual plug-in code does very little work; I use Protocol Buffers to 
> ship off the parts of the header I need to a server written in Python 
> that does the actual reassembly.
What is the context of what you are doing?  Are you trying to offload 
certain traffic for inspection elsewhere or is the python server going 
to send stuff back?  Are you trying to do this while Snort also inspects 
the other traffic in the usual manner?

There are other possibilities depending upon what you are trying to do.  
And you may have flow tracking issues with MPTCP.  Send some more 
details and I can try to help out.
> Thanks!
>
> -Henry
>
>
> ------------------------------------------------------------------------------
> What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
> patterns at an interface-level. Reveals which users, apps, and protocols are
> consuming the most bandwidth. Provides multi-vendor support for NetFlow,
> J-Flow, sFlow and other flows. Make informed decisions using capacity
> planning reports. http://sdm.link/zohodev2dev
>
>
> _______________________________________________
> Snort-devel mailing list
> Snort-devel () lists sourceforge net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
> Archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel
>
> Please visit http://blog.snort.org for the latest news about Snort!

------------------------------------------------------------------------------
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are 
consuming the most bandwidth. Provides multi-vendor support for NetFlow, 
J-Flow, sFlow and other flows. Make informed decisions using capacity 
planning reports. http://sdm.link/zohodev2dev

_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!