Snort mailing list archives

Re: Custom dynamic preprocessor - How to display alert message passed to alertAdd func?

From: "Seshaiah Erugu (serugu)" <serugu () cisco com>
Date: Thu, 22 Sep 2016 08:59:38 +0000
Hi Jan,

To generate alert as you expect with dynamic user data you have to add this rule to preprocessor.rules file.  Please 
refer the following example.

Example #

The following  is the reference code to implement the preprocessor alert.  Please refer the complete code.

1 )  Add your rule to preprocessor.rules file.

                  Ex # alert ( msg: "SMTP_RESPONSE_OVERFLOW"; sid: 3; gid: 124; rev: 1; metadata: rule-type preproc, 
service smtp, policy security-ips drop ; classtype:attempted-user; reference:cve,2002-1090; )

2 )  Write a wrapper function and call _dpd.addAlert from this function.

                    Ex #         ./dynamic-preprocessors/smtp/smtp_log.c

                                                 void SMTP_GenerateAlert(int event, char *format, ...)
                        {

                                         ------------
                                          ------------
                                          ---------------
           
                                         smtp_event[event][0] = '\0';
                                         vsnprintf(&smtp_event[event][0], EVENT_STR_LEN - 1, format, ap);
                                        smtp_event[event][EVENT_STR_LEN - 1] = '\0';

                                         _dpd.alertAdd(GENERATOR_SMTP, event, 1, 0, 3, &smtp_event[event][0], 0);

                                          ----------
                                         ----------
                                         -----------

                        }

      
3 ) Where ever you want to generate alert , please call your GenerateAlert function with proper data.
                    
                         Ex #  SMTP_GenerateAlert(SMTP_RESPONSE_OVERFLOW, "%s: %d chars", SMTP_RESPONSE_OVERFLOW_STR, 
resp_line_len);

                In your case you should call Generatealert function inside "IF"

                    if (parsed.src_user_name == "bad_intruder") {

                                   gid=100000; sid=9000000; revision=1; classification=0; priority=3; rule_info=0;

                                    msg=src_user_name + " attacks " + dest_address;

                                     XXXX_GenerateAlert (sid, msg, len); }


  Please check the following functions for adding #define

                                   ./dynamic-preprocessors/smtp/smtp_log.h

                                                        #define SMTP_RESPONSE_OVERFLOW      3
                                                         #define SMTP_RESPONSE_OVERFLOW_STR       "(smtp) Attempted 
response buffer overflow"


                                        ./generators.h

                                   #define GENERATOR_SMTP                             124
                                  #define     SMTP_RESPONSE_OVERFLOW                 3



Refer  SMTP_RESPONSE_OVERFLOW  alert code you will get complete understanding.
Let me know you need any more info.     



Thanks,
Seshaiah Erugu.

-----Original Message-----
From: Jan Hermes [mailto:jan.hermes () hotmail de] 
Sent: Wednesday, September 21, 2016 7:27 PM
To: snort-devel () lists sourceforge net
Subject: [Snort-devel] Custom dynamic preprocessor - How to display alert message passed to alertAdd func?

Hello,

I built a dynamic preprocessor and would like it to create several specific alert messages. Let me give you a short 
example with some fictional assumptions:

- the preproc parses specific protocols that are not native for snort

- let's say the protocol is: [src_address, dest_address, src_user_name]

- the preprocessor parses all this information from the packet

- if the src_user_name equals "bad_intruder", I want an alert to be generated (of course the easified concatenation and 
comparison of strings is only for better reading):
------------------------------------------------------

if (parsed.src_user_name == "bad_intruder") {

     gid=100000; sid=9000000; revision=1; classification=0; priority=3; rule_info=0;

     msg=src_user_name + " attacks " + dest_address;

      _dpd.alertAdd(gid, sid, revision, classification, priority, msg, rule_info); }
-------------------------------------------------------

- the local.rules file has this entry:
        alert (sid: 9000000; gid: 100000; msg: "alarm"; rev: 1 )

- the output I get from the alert detection is:
         09/21-13:30:18.178080  [**] [100000:9000000:1] alarm [**]

- But I would like it to display the way I passed it within the preprocessor's code, e.g.:

         09/21-13:30:18.178080  [**] [100000:9000000:1] bad_intruder attacks 172.223.9.151 [**]


How can I achieve this? I already tried to omit the message in the 
local.rules which leaves me without any message at all..

Thanks,
Jan



------------------------------------------------------------------------------
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!

------------------------------------------------------------------------------
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!
Current thread:

Custom dynamic preprocessor - How to display alert message passed to alertAdd func? Jan Hermes (Sep 21)
- Re: Custom dynamic preprocessor - How to display alert message passed to alertAdd func? Seshaiah Erugu (serugu) (Sep 22)