By Masud Hasan, additional contributions by Jon Munshaw and Joel Esler.
As we near our “General Availability” (or GA) release of Snort 3.0 later this year, we’re going to be introducing content such as our videos, how-to guides and other installation documents.
With our most recent release of Snort3’s beta, we added a new inspector “RNA“ to provide network visibility. For those of you that have been using Sourcefire products, you’ll remember this feature as “Real-Time Network Awareness”, a technology that we invented and patented back then.
In this initial release, RNA analyzes passing traffic to discover hosts with filtering based on IP/port/zone. It logs information about these hosts such as protocols, applications and user agents (collected from other modules), and operating systems (using predefined fingerprints). RNA does not generate or alter traffic on its own. Keep in mind that this preprocessor is a work in progress for Open Source users, and more functionality will be added over time.
To enable host discovery (this feature is disabled by default), you’ll need to look at the config file referred by rna_conf_path (in your snort.conf) can have keywords:
Analyze # discover application, host, user (only host discovery is implemented)
AnalyzeHostUser # discover application, host, user (same as Analyze)
AnalyzeApplication # discover application
AnalyzeHost # discover application, host
AnalyzeUser # discover application, user
portexclusion # don't discover on this port
Format:
config keyword [!]ip [zone]
portexclusion dst|src|both tcp|udp port ip
Examples:
config AnalyzeHost 0.0.0.0/0 -1 # discover any ipv4 on any zone
config AnalyzeHost ::/0 2 # discover any ipv6 on zone 2
config AnalyzeHost !1.2.3.4/16 3 # exclude this ipv4 range on zone 3
config Analyze !cafe:feed::0/64 # exclude this ipv6 range on any zone
portexclusion dst udp 53 8.8.8.8 # exclude this ip for UDP port 53 in destination direction
portexclusion both tcp 4000 ::0/0 # exclude any ipv6 for TCP port 4000 in both direction
Note that exclusion has a higher priority than inclusion. The enable_logger config enables or disables sending RNA discovery events to EventManager::call_loggers. This type of event logger or reader is not implemented yet. However, since RNA stores host information into host_cache, to log the discovered hosts into a file, users can issue a socket command — host_cache.dump('file.out') — or add lua config — host_cache = { dump_file = 'file.out'}.
For example:
> cat rna.conf
config AnalyzeHost 0.0.0.0/0 1
config AnalyzeHost 0.0.0.0/0 2
portexclusion dst tcp 80 0.0.0.0/0
> cat snort.lua
stream = { }
stream_tcp = { }
host_cache = { dump_file = file.out' }
rna = { rna_conf_path = 'rna.conf' }
Then, run Snort with TCP traffic, such as:
1.1.1.1:23 zone1 <--> 8.8.8.8:22 zone2
2.2.2.2:23 zone3 <--> 9.9.9.9:22 zone4
3.3.3.3:1234 zone1 <--> 2.2.2.2:80 zone2
The following file.out will be generated when Snort closes, which demonstrates discovered hosts (in the least recently used order) after filtering from the traffic:
IP: 8.8.8.8
hops: 255, time: 2000-01-01 00:00:00
macs size: 1
mac: 02:09:08:07:06:05, ttl: 64, primary: 0, time: 2000-01-01 00:00:00
IP: 1.1.1.1
hops: 255, time: 2000-01-01 00:00:00
macs size: 1
mac: 02:01:02:03:04:05, ttl: 64, primary: 0, time: 2000-01-01 00:00:00
As always, feedback on this work-in-progress feature may be sent to the
Snort Users mailing list.