Snort mailing list archives

Re: Snort extension for layer 2 attacks

From: Awais Ali via Snort-devel <snort-devel () lists snort org>
Date: Thu, 5 Mar 2020 23:38:50 +0100

Hi Chamara,

Thanks for detail explanation. Have you tried this Goose protocol
implementation in snort 2.9? How is it? I mean the performance/accuracy?
And we can also extend against every protocol we want in layer 2 or may be
layer 7?
Secondly, few colleagues here referred Snort3 for extension purpose that
mean we have to write external/extra plugins against each protocol we want
to detect.

Which one is easy and better to implement snort 3 or snort 2.9?

Thanks,
Awais Ali

On Thu, 5 Mar 2020, 19:51 Chamara Devanarayana, <Chamara () rtds com> wrote:

Hi Ali,

The following instructions are for SNORT 2.9.

As mentioned below you need to write a preprocessor. However, you need to
modify the snort packet decoder as well. At the decoder (src/decode.h and
src/decode.c) you can filter the goose packets using the Ether type which
should be 0x88b8. Define the protocol bit for GOOSE in decode.h eg:
PROTO_BIT_GOOSE  If you detect this ether type you need to set this
protocol bit in the Packet data structure in snort. Have a look at
DecodeEthTypes() function in decode.c. Then when you write the preprocessor
in src/preprocessors in the init function use the AddFuncToPreprocList() to
add the function that you use to process the goose data when the above
defined protocol bit is set. Furthermore use the
session_api->enable_preproc_all_ports() to regiser goose functionality with
snort config. Read through the arpSpoof code thoroughly.

Hope this helps.

Best regards,

Chamara



*From:* Snort-devel <snort-devel-bounces () lists snort org> *On Behalf Of *Nicholas
Mavis
*Sent:* March 2, 2020 12:52 PM
*To:* Awais Ali <awaisali901 () gmail com>
*Cc:* snort-devel () lists snort org
*Subject:* Re: [Snort-devel] Snort extension for layer 2 attacks



In my opinion, the best resource for writing a decoder is usually
referencing the existing decoders provided in Snort.



With some debugging and time in the code it should make a lot more sense.
Unfortunately, decoders are not an easy thing to implement.



On Mon, Mar 2, 2020, 10:35 AM Awais Ali via Snort-devel <
snort-devel () lists snort org> wrote:



I know there is ARP preprocessor in snort. But I want to detect attacks in
special layer 2 protocols like Goose, CDP etc.

If I want to detect the attacks in the payload of the Goose protocol then
there is no such solution since snort detects payload of layer 3 and above.

There are many such special protocols in in layer 2 where if you want to
detect regular extensions/content in the payload then there is no such
solution.



I want to extend snort in this domain by writing decoders of that
particular protocol the way we have for other protocols like tcp/udp above
layer 3.

I need guidelines and little bit technical support from you guys or any
better solution to do this task using snort.



I hope you will cooperate in this regard. I am looking forward to hearing
from you.



Thanks,

Awais Ali



On Mon, 2 Mar 2020, 15:35 Joel Esler (jesler), <jesler () cisco com> wrote:

We already have a layer 2 tool, check out the arpspoof preprocessor.



--

Joel Esler

Manager, Communities Division

Cisco Talos Intelligence Group

http://www.talosintelligence.com



On Feb 28, 2020, at 12:56 PM, Awais Ali via Snort-devel <
snort-devel () lists snort org> wrote:



Hello all,

I am master student working in siemens AG, now a days I am working on
possible extension of snort for layer 2 attacks. As per my understanding, I
need to write decoder for that particular protocol and preprocessor as well.



Can someone guide me how I can write decoder for any given layer 2
protocol? The way snort parses the protocols for layer 3 and above. I hope
you will cooperate in this regard.



Thanks,

Awais Ali

_______________________________________________
Snort-devel mailing list
Snort-devel () lists snort org
https://lists.snort.org/mailman/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!



_______________________________________________
Snort-devel mailing list
Snort-devel () lists snort org
https://lists.snort.org/mailman/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!

_______________________________________________
Snort-devel mailing list
Snort-devel () lists snort org
https://lists.snort.org/mailman/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!

Current thread:

Snort extension for layer 2 attacks Awais Ali via Snort-devel (Mar 02)
- Re: Snort extension for layer 2 attacks Joel Esler (jesler) via Snort-devel (Mar 02)
  - Re: Snort extension for layer 2 attacks Awais Ali via Snort-devel (Mar 02)
    - Re: Snort extension for layer 2 attacks Al Lewis (allewi) via Snort-devel (Mar 02)
    - Re: Snort extension for layer 2 attacks Nicholas Mavis (Mar 02)
    - Re: Snort extension for layer 2 attacks Chamara Devanarayana via Snort-devel (Mar 05)
    - Re: Snort extension for layer 2 attacks Awais Ali via Snort-devel (Mar 05)
    - Re: Snort extension for layer 2 attacks Awais Ali via Snort-devel (Mar 06)