Thursday, May 28, 2015

Snort++ DAQ and Logger Updates

There are several changes in recent updates that provide new ways to input packets and output event data. Much of the change is driven by development and test needs but you may find the new capabilities useful as well. Here is a brief summary:

Hext DAQ Added

Input raw packets or TCP payload with 4-tuple. Input in hex or quoted text.

Configure with:

    stream_user = { }

Use with:

    --daq-dir ~/install/lib/snort_extra/daqs
    --daq hext
    [--daq-var dlt=1] # optional raw ethernet
    -r  | -i tty

Example input:

    $packet 10.1.2.3 48620 -> 10.9.8.7 80

    "GET / HTTP/1.1\r\n"
    "Host: localhost\r\n"
    "\r\n"
Example raw eithernet input (set the dlt):

    # 0 [98]

    x02 09 08 07 06 05 02 01 02 03 04 05 08 00 45 00 00 54 00 03  # ..............E..T..
    x00 00 40 06 5C 8E 0A 01 02 03 0A 09 08 07 BD EC 00 50 00 00  # ..@.\............P..
    x00 02 00 00 00 02 50 10 20 00 7D D5 00 00 47 45 54 20 2F 74  # ......P.  .}...GET /t
    x72 69 67 67 65 72 2F 31 20 48 54 54 50 2F 31 2E 31 0D 0A 48  # rigger/1 HTTP/1.1..H
    x6F 73 74 3A 20 6C 6F 63 61 6C 68 6F 73 74 0D 0A 0D 0A        # ost: localhost....

Additional commands are available to specify packets, clients, and servers. Check the user manual for details.

File DAQ Added

Do detection, file type identification, and file signature calculations on plain files (no packets needed).

Configure with:

    stream_file = { }

    file_id =
    {
        enable_type = true,
        enable_signature = true,
        file_rules = file_magic
    }

Use with:

    --daq file
    -r 

This will print out file type and signature stats so you can see how Snort++ will process a file w/o having to put it in a pcap. You can also use --pcap-dir and --max-packet-threads to quickly process a whole directory. Use -s to process with larger "packets" (ie buffers). Note that the output is still being cleaned up.

In addition to basic file processing, you can do the usual detection with IPS rules.

Socket DAQ Added

Snort will accept up to two connections and bridge them together, passing the payload through detection.

Configure with:

    stream_user = { }

Use with:

    --plugin-path ~/install/lib/snort_extra
    --daq-dir ~/install/lib/snort_extra/daqs
    --daq socket

For example, you can do:

    $ nc localhost 8000
    client

    $ nc localhost 8000
    server

"client" or "server" are output to indicate which end of the flow you are on.

Socket Codec Added

Required to use the socket DAQ. Also required to use the hext DAQ when not in raw mode.  The socket codec counts include packets you don't explicitly generate. The socket DAQ will automatically generate a start and end of flow packets as connections are opened and closed. The hext DAQ automatically generates an end of flow packet at end of file.

Hext Logger Added

Dump TCP stream payload with 4-tuple information (default mode) or all full packets (raw mode) suitable for input with the hext DAQ.

Use with:

    --plugin-path ~/install/lib/snort_extra
    -L hext:
To get:
    $packet 10.1.2.3 48620 -> 10.9.8.7 80

    x47 45 54 20 2F 74 72 69 67 67 65 72 2F 31 20 48 54 54 50 2F  # GET /trigger/1 HTTP/
    x31 2E 31 0D 0A 48 6F 73 74 3A 20 6C 6F 63 61 6C 68 6F 73 74  # 1.1..Host: localhost
    x0D 0A 0D 0A                                                  # ....

    $packet 10.9.8.7 80 -> 10.1.2.3 48620

    x48 54 54 50 2F 31 2E 31 20 32 30 30 20 4F 4B 0D 0A 43 6F 6E  # HTTP/1.1 200 OK..Con
    x74 65 6E 74 2D 4C 65 6E 67 74 68 3A 20 31 32 0D 0A 0D 0A     # tent-Length: 12....

CSV Logger Updated

This logger was completely rewritten and is a good choice for logging a custom format with a simple config.

With -A csv you get the default format for alerts like this (timestamp, pkt_num, proto, pkt_gen, dgm_len, dir, src_ap, dst_ap, rule, action):

   08/01-04:55:34.510034, 573345, TCP, raw, 940, C2S, 192.168.22.13:1357, 199.221.131.110:80, 1: 5808:9, allow
   08/01-04:58:18.107004, 623410, TCP, stream_tcp, 401, C2S, 192.168.16.25:3510, 207.46.134.62:  80, 1:18758:8, allow

Test Logger Deleted

This logger is obviated with the updated CSV logger which can be configured to output in the old default test format.

Use:

    --lua "alert_csv = { fields = 'pkt_num gid sid rev', separator = '\t' }"

To get:

    573345  1   5808    9
    623410  1   18758   8