Snort mailing list archives
Re: Snort extension for layer 2 attacks
From: Chamara Devanarayana via Snort-devel <snort-devel () lists snort org>
Date: Thu, 5 Mar 2020 18:51:27 +0000
Hi Ali, The following instructions are for SNORT 2.9. As mentioned below you need to write a preprocessor. However, you need to modify the snort packet decoder as well. At the decoder (src/decode.h and src/decode.c) you can filter the goose packets using the Ether type which should be 0x88b8. Define the protocol bit for GOOSE in decode.h eg: PROTO_BIT_GOOSE If you detect this ether type you need to set this protocol bit in the Packet data structure in snort. Have a look at DecodeEthTypes() function in decode.c. Then when you write the preprocessor in src/preprocessors in the init function use the AddFuncToPreprocList() to add the function that you use to process the goose data when the above defined protocol bit is set. Furthermore use the session_api->enable_preproc_all_ports() to regiser goose functionality with snort config. Read through the arpSpoof code thoroughly. Hope this helps. Best regards, Chamara From: Snort-devel <snort-devel-bounces () lists snort org> On Behalf Of Nicholas Mavis Sent: March 2, 2020 12:52 PM To: Awais Ali <awaisali901 () gmail com> Cc: snort-devel () lists snort org Subject: Re: [Snort-devel] Snort extension for layer 2 attacks In my opinion, the best resource for writing a decoder is usually referencing the existing decoders provided in Snort. With some debugging and time in the code it should make a lot more sense. Unfortunately, decoders are not an easy thing to implement. On Mon, Mar 2, 2020, 10:35 AM Awais Ali via Snort-devel <snort-devel () lists snort org<mailto:snort-devel () lists snort org>> wrote: I know there is ARP preprocessor in snort. But I want to detect attacks in special layer 2 protocols like Goose, CDP etc. If I want to detect the attacks in the payload of the Goose protocol then there is no such solution since snort detects payload of layer 3 and above. There are many such special protocols in in layer 2 where if you want to detect regular extensions/content in the payload then there is no such solution. I want to extend snort in this domain by writing decoders of that particular protocol the way we have for other protocols like tcp/udp above layer 3. I need guidelines and little bit technical support from you guys or any better solution to do this task using snort. I hope you will cooperate in this regard. I am looking forward to hearing from you. Thanks, Awais Ali On Mon, 2 Mar 2020, 15:35 Joel Esler (jesler), <jesler () cisco com<mailto:jesler () cisco com>> wrote: We already have a layer 2 tool, check out the arpspoof preprocessor. -- Joel Esler Manager, Communities Division Cisco Talos Intelligence Group http://www.talosintelligence.com On Feb 28, 2020, at 12:56 PM, Awais Ali via Snort-devel <snort-devel () lists snort org<mailto:snort-devel () lists snort org>> wrote: Hello all, I am master student working in siemens AG, now a days I am working on possible extension of snort for layer 2 attacks. As per my understanding, I need to write decoder for that particular protocol and preprocessor as well. Can someone guide me how I can write decoder for any given layer 2 protocol? The way snort parses the protocols for layer 3 and above. I hope you will cooperate in this regard. Thanks, Awais Ali _______________________________________________ Snort-devel mailing list Snort-devel () lists snort org<mailto:Snort-devel () lists snort org> https://lists.snort.org/mailman/listinfo/snort-devel Please visit http://blog.snort.org for the latest news about Snort! _______________________________________________ Snort-devel mailing list Snort-devel () lists snort org<mailto:Snort-devel () lists snort org> https://lists.snort.org/mailman/listinfo/snort-devel Please visit http://blog.snort.org for the latest news about Snort!
_______________________________________________ Snort-devel mailing list Snort-devel () lists snort org https://lists.snort.org/mailman/listinfo/snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Snort extension for layer 2 attacks Awais Ali via Snort-devel (Mar 02)
- Re: Snort extension for layer 2 attacks Joel Esler (jesler) via Snort-devel (Mar 02)
- Re: Snort extension for layer 2 attacks Awais Ali via Snort-devel (Mar 02)
- Re: Snort extension for layer 2 attacks Al Lewis (allewi) via Snort-devel (Mar 02)
- Re: Snort extension for layer 2 attacks Nicholas Mavis (Mar 02)
- Re: Snort extension for layer 2 attacks Chamara Devanarayana via Snort-devel (Mar 05)
- Re: Snort extension for layer 2 attacks Awais Ali via Snort-devel (Mar 05)
- Re: Snort extension for layer 2 attacks Awais Ali via Snort-devel (Mar 06)
- Re: Snort extension for layer 2 attacks Awais Ali via Snort-devel (Mar 02)
- Re: Snort extension for layer 2 attacks Joel Esler (jesler) via Snort-devel (Mar 02)