Re: Snort extension for layer 2 attacks

[Chamara Devanarayana via Snort-devel <snort-devel () lists snort org>]

Hi Ali,
The following instructions are for SNORT 2.9.
As mentioned below you need to write a preprocessor. However, you need to modify the snort packet decoder as well. At 
the decoder (src/decode.h and src/decode.c) you can filter the goose packets using the Ether type which should be 
0x88b8. Define the protocol bit for GOOSE in decode.h eg: PROTO_BIT_GOOSE  If you detect this ether type you need to 
set this protocol bit in the Packet data structure in snort. Have a look at DecodeEthTypes() function in decode.c. Then 
when you write the preprocessor in src/preprocessors in the init function use the AddFuncToPreprocList() to add the 
function that you use to process the goose data when the above defined protocol bit is set. Furthermore use the 
session_api->enable_preproc_all_ports() to regiser goose functionality with snort config. Read through the arpSpoof 
code thoroughly.
Hope this helps.
Best regards,
Chamara

From: Snort-devel <snort-devel-bounces () lists snort org> On Behalf Of Nicholas Mavis
Sent: March 2, 2020 12:52 PM
To: Awais Ali <awaisali901 () gmail com>
Cc: snort-devel () lists snort org
Subject: Re: [Snort-devel] Snort extension for layer 2 attacks

In my opinion, the best resource for writing a decoder is usually referencing the existing decoders provided in Snort.

With some debugging and time in the code it should make a lot more sense. Unfortunately, decoders are not an easy thing 
to implement.

On Mon, Mar 2, 2020, 10:35 AM Awais Ali via Snort-devel <snort-devel () lists snort org<mailto:snort-devel () lists 
snort org>> wrote:

I know there is ARP preprocessor in snort. But I want to detect attacks in special layer 2 protocols like Goose, CDP 
etc.
If I want to detect the attacks in the payload of the Goose protocol then there is no such solution since snort detects 
payload of layer 3 and above.
There are many such special protocols in in layer 2 where if you want to detect regular extensions/content in the 
payload then there is no such solution.

I want to extend snort in this domain by writing decoders of that particular protocol the way we have for other 
protocols like tcp/udp above layer 3.
I need guidelines and little bit technical support from you guys or any better solution to do this task using snort.

I hope you will cooperate in this regard. I am looking forward to hearing from you.

Thanks,
Awais Ali

On Mon, 2 Mar 2020, 15:35 Joel Esler (jesler), <jesler () cisco com<mailto:jesler () cisco com>> wrote:
We already have a layer 2 tool, check out the arpspoof preprocessor.

--
Joel Esler
Manager, Communities Division
Cisco Talos Intelligence Group
http://www.talosintelligence.com


On Feb 28, 2020, at 12:56 PM, Awais Ali via Snort-devel <snort-devel () lists snort org<mailto:snort-devel () lists 
snort org>> wrote:

Hello all,
I am master student working in siemens AG, now a days I am working on possible extension of snort for layer 2 attacks. 
As per my understanding, I need to write decoder for that particular protocol and preprocessor as well.

Can someone guide me how I can write decoder for any given layer 2 protocol? The way snort parses the protocols for 
layer 3 and above. I hope you will cooperate in this regard.

Thanks,
Awais Ali
_______________________________________________
Snort-devel mailing list
Snort-devel () lists snort org<mailto:Snort-devel () lists snort org>
https://lists.snort.org/mailman/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!

_______________________________________________
Snort-devel mailing list
Snort-devel () lists snort org<mailto:Snort-devel () lists snort org>
https://lists.snort.org/mailman/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!

_______________________________________________
Snort-devel mailing list
Snort-devel () lists snort org
https://lists.snort.org/mailman/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!