Snort-Output XML Plugin Analysis
Author: gnicky url http://blog.9cbs.net/loconfuse
Preliminary analysis of the version of Snort1.8, because Snort has been relatively large change after 2.0, for software kernel analysis, choose a lower version is relatively appropriate, it is best to start from the author's original thoughts, unfortunately There is no inspiration of the author, downloading Snort-1.8, is analyzed from this version.
First, I opened the Manual reading, and overall the function of the software, divided into three types listening, record, intrusion detection in the mode of the network application; the output plug-in is generally explained to the output plug-in. Sys_LOG / DATABASE / CSV / XML / SMB_ALERT, etc. In this release, more Output Plugin is more learning for lovers who want to learn plugins.
In order to facilitate learning, download Snort 2.0 version, in this release, the file classification is specified, unlike most of the files in 1.8 directly stored in the main directory. Because learning Linux is a novice, naming the following files is not very understanding (former Minux operating system is not well studied). Contrib acts as a file storage location that can add content, DOC is used as a related document, and the manual is stored, and there are some Make File and other files. The following sector is intercepted from Readme.plugin:
OVERVIEW:
Snort version 1.5 introduces a major new concept, plugins There are two types of plugin currently available in Snort:.. Detection plugins and preprocessors Detection plugins check a single aspect of a packet for a value defined within a rule and determine if the packet data meets their acceptence criteria. for example, the tcp flags detection plugin checks the flags section of TCP packets for matches with flag combinations defined in a particular rule. Detection plugins may be called multiple times per packet with different arguments. preprocessors are only called a single time per packet and may perform highly complex functions like TCP stream reassembly, IP defragmentation, or HTTP request normalization. They can directly manipulate packet data and even call the detection engine directly with their modified data. They can perform less complex tasks like statistics gathering or threshold Monitoring as well.
It mainly introduces the plugins used in the Packet analysis that LibPCAP, including the overall two categories, which provide very vast space based on the development of Snort-based design patterns.
"sp_something.c" / "sp_something.h" is mainly used for Detection Plugins, and spp_something.c and spp_something.h are used for PreProcessors Plugins. If you are interested in writing plugins, you can learn from the files in Templates, I hope to be an excellent Plugin Developer! If you are very interested in the output plugin, you can learn the file readme.Database, which is described in the Database output plugin, and of course, there is no specific working principle. I believe that the ReadMe.cvs file should be said to use the CSV output plugin. Based on these rules, you should be able to guess how the readme.xml file in Snort1.8 is described in how to use XML plugins, this file does not appear in 2.2.0.
ETC is a very important folder, which contains the basic files such as Classification files, Snort.conf configuration files. The Rules folder must be known that all the suffix is stored for. Rules, the rule file is stored here, and it can be found that two files containing Makefile in these folders, basically makefile.am is relatively simple, below is simple Rules Sample:
## $ ID $
Automake_options = foreign no-dependencies
Extra_Dist = attack-response.rules backdoor.rules bad-traffic.rules /
Chat.rules ddos.rules deled.Rules DNS.Rules dos.rules Experimental.Rules /
Exploit.Rules finger.rules ftp.rules icmp-info.rules icmp.rules IMAP.RULES /
Info.rules local.rules misc.rules multimedia.rules mysql.rules NetBIOS.Rules /
NNTP.Rules Oracle.Rules Other-ids.rules p2p.rules policy.rules pop3.rules /
Porn.Rules rpc.rules Rservices.rules scan.rules shellcode.rules SMTP.RULES /
SNMP.Rules SQL.Rules Telnet.Rules TFTP.Rules Virus.rules Web-attacks.rules /
The SNORT is stored in the SRC, in which the files of various functions are classified, where output-plugin contains the contents of the output plugins, as for Win32, it should be prepared for Windows.
Please see the description of the XML output plugin in Snort1.8.0:
The XML plug-in enables snort to log in SNML -.. Simple network markup language aka (snort markup language) to a file or over a network The DTD is available in the contrib directory of the snort distribution You can use this plug-in With ON OR More Snort
sensors to log to a central database and create highly configurable intrusion detection infrastructures within your network. The plugin will also enable you to automatically report alerts to a third party such as an incident response team or managed security service provider.This plugin was originally developed at . ,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
The fact indicates that the development of the XML output plugin is not included in the released Snort 2.2.0. You should download to the DTD format on the website. The problem is whether the corresponding development of the analysis of XML logs can be adapted, in this problem On, the program is critical to the dependence of DTD.
Initial goal, let Snort 2.2.0 support XML output plugins, analyze .c, and .h files associated with the output plugin. Here are some of the taste of the job:
Step 1, in the content closest to Output Plugin, Copy file SPO_XML.C SPO_XML.H to Output-Plugins, and modify the two files of Makefile. # Makefile.in generated by Automake 1.6.3 from makefile.am. Through this, observation "Edit the makefile.am and add the names of the two" snort_source "line. Save and exit the file "Automake". This change will change, and at least two places should be changed in the file. Compare two versions will find in which mixed in 1.8.0 due to modularity Descriptive output results, or intermediate results use variable Snort_xx, and libspo-xx in Snort-2.2.0 is used in the SPO OUPUT PLUGIN module.
Step 2, go back to the upper class directory SRC, analyze where Plugins related files, Plugbase.c observation, see it: In some places, the separation of these modules has not been completely completed!
Compare two versions of PlugBase.c files, found that the subsequent Snort is quite popular for the use of Switch switches, making customizable and difficulty in installing the installation deployment, the modified current goal is to force the XML output plugin ( Do not set the switch)
OutputKeywordList is a variable type we need to pay attention to, which defines OutputKeyword that is enabled. Several of the most likely to appear in the following header:
#include "plugbase.h"
#include "snort.h"
#include "debug.h"
#include "util.h" #include "log.h"
#include "detect.h"
Please see typedef struct _outputkeywordlist
{
OutputKeywordNode Entry;
Struct _outputkeywordlist * next;
} OutputKeywordList; Basically use structural _xxxx then custom variable type xxxxx. When the key issue gives the initial value, because this is determined when compiling, it is basically the highest as a constant in Snort.
This step is left a problem, and a bunch of keywords initialized will give a list? Concern the system's global variable
STEP 3, digging information in the Makefile file in the SRC folder, found that Snort_LDADD = OUTPUT-PLUGINS / libspo.A / That is, equal to the generation of files such as SPO-XML.O / SPO_CSV.O.
Reviewing the modifications, confident issues and solutions, RegisterOutputPlugin ("XML", NT_OUTPUT_LOG, XMLINIT); found in the first statement of setupxml's function, and the customs, all uppercase variables are Global, calling PlugBase Method void registeroutputPlugin (CHAR * Keyword, INT TYPE, VOID (* FUNC)) You can find that the method is Void, no parameters return, so the variable is saved in the list.
STEP 4, considering the possible problems, should not have problems throughout the call, but the call to the library is not guaranteed,
#include
#include
#include
#include
#include
#include
The header files under these OpenSSL may lead to a problem, and they have to be afraid for the version of the version. This also reminds me of the last blog, emphasizing that with-openssl is the necessary support for the XML output plug-in in Snort, it can be seen. It is in the directory of OpenSSL's folder, and the result is wrong, it is wrong, a little regret! ~! All files are included in the openssl-0.9.7e / incrude / openssl directory. No problem.
In addition, SNML's DTD file needs to be placed in a suitable directory.
Start working according to Snort2.0, while ./Configure plus with-openssl = DIR
