I tested snort-03.0.0.a1.4 on a FreeBSD box 6.x box with the lua-5.1.1_2 package installed. I compiled it:
$ ./configure --with-lua-includes=/usr/local/include/lua51/
--with-lua-libraries=/usr/local/lib/lua51/
--prefix=/usr/local/snort-03.0.0.a1.4/
$ make
$ make install
The alpha code does not have a detection engine yet. It's like the original Snort -- it's only a packet decoder. I thought you might like to see what it looks like when Snort 3.0 decodes IPv6 packets. I'm using this IPv6-only FreeBSD scenario.
When you start Snort, it activates but does nothing until you tell it.
cel433:/usr/local/snort-03.0.0.a1.4/bin# ./snort
[*] DAQ Modules Loaded...
[*] Loading decoder modules
[+] Loaded ethernet
[+] Loaded null
[+] Loaded arp
[+] Loaded ip
[+] Loaded tcp
[+] Loaded udp
[+] Loaded icmp
[+] Loaded icmp6
[+] Loaded gre
[+] Loaded mpls
[+] Loaded 8021q
[+] Loaded ipv6
[+] Loaded ppp
[+] Loaded pppoe
[+] Loaded raw
[*] Decoder initialized...
[*] Flow manager initialized...
[*] Data source subsystem loaded
[*] Engine manager initialized
[*] Loading command interface
[!] Loading sfips command metatable
[!] Loading data source command metatable
[!] Loading engine command metatable
,,_ -*> Snort! <*-
o" )~ Version 03.0.0.a1.4 (Build 7) [PRE-ALPHA]
'''' By Martin Roesch & The Snort Team: http://www.snort.org/team.html
(C) Copyright 2006 Sourcefire Inc.
You tell Snort to begin sniffing using these commands.
> dofile("/usr/local/src/snort-03.0.0.a1.4/etc/snort.lua")
snort> fsniff("fxp0")
Creating new data source
Engine "e2" created
Linking engine "e2" to data source "src2"
init_pcap: Initializing network interface fxp0
init_pcap: netmask lookup for device fxp0: fxp0: no IPv4 address assigned
Device type is Ethernet on interface fxp0
Flow manager "a5a891c4-e448-11db-b5e1-00045a7822bf" created with 16384 flow capacity
[*] Data Source Config:
Name: src2
Type: pcap
Interface: fxp0
Filename:
Snaplen: 1514
Flags: 0x00000002
Display: ethernet (4)
Filter command:
DAQ: 0x807e400
User Context: 0x808f3c0
User Data: 0x0
Max flows: 16384
Max idle: 10
Memcap: 10000000
[*] Flow Manager Config:
Max flows: 16384
Max idle: 10
Memcap: 10000000
[*] DAQ config:
Interface: fxp0
Snaplen: 1514
Datalink: 1
Count: 0
Packet Count: 0
Promisc flag: 1
File flag: 0
pcap ptr: 0x80ac400
analysis context ptr: 0x80a9600
[*] Spawning engine thread!
I generate ICMPv6 traffic that Snort can see.
mwmicro:/home/string$ ping6 -c 1 p200
PING6(56=40+8+8 bytes) fe80::200:d1ff:feed:8c74%sf3 --> fe80::204:5aff:fe79:43a7%sf3
16 bytes from fe80::204:5aff:fe79:43a7%sf3, icmp_seq=0 hlim=64 time=1.131 ms
--- p200 ping6 statistics ---
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 1.131/1.131/1.131/0.000 ms
Here is what Snort reports.
snort> [*] Packet on interface fxp0
[*] Packet Info
Serial: 1
Packet Time: 04/06-14:11:13.098377
Packet Bytes: 70
Captured Bytes: 70
Layers: 4
[*] Ethernet (14 bytes)
Source MAC Address: 00:00:D1:ED:8C:74
Dest MAC Address: 00:04:5A:79:43:A7
Encapsulated Protocol: IPv6
[*] Internet Protocol version 6 (40 bytes)
Version: 6
Class: 0 (0x0)
Flow Tag: 96 (0x60)
Packet Length: 16
Next Header: ipv6-icmp
Hop Limit: 64
Src Addr: fe80::200:d1ff:feed:8c74
Dst Addr: fe80::204:5aff:fe79:43a7
[*] Internet Control Message Protocol Version 6
Type: 128 (Echo Request)
Code: 0
Id: 11124
Seq: 0
Checksum: 22822 (INVALID 0000)
[*] Payload (8 bytes)
0x0000: 46 16 55 0E 00 0A 64 63 F.U...dc
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[*] Packet on interface fxp0
[*] Packet Info
Serial: 2
Packet Time: 04/06-14:11:13.098802
Packet Bytes: 70
Captured Bytes: 70
Layers: 4
[*] Ethernet (14 bytes)
Source MAC Address: 00:04:5A:79:43:A7
Dest MAC Address: 00:00:D1:ED:8C:74
Encapsulated Protocol: IPv6
[*] Internet Protocol version 6 (40 bytes)
Version: 6
Class: 0 (0x0)
Flow Tag: 96 (0x60)
Packet Length: 16
Next Header: ipv6-icmp
Hop Limit: 64
Src Addr: fe80::204:5aff:fe79:43a7
Dst Addr: fe80::200:d1ff:feed:8c74
[*] Internet Control Message Protocol Version 6
Type: 129 (Echo Reply)
Code: 0
Id: 11124
Seq: 0
Checksum: 22566 (INVALID 0000)
[*] Payload (8 bytes)
0x0000: 46 16 55 0E 00 0A 64 63 F.U...dc
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[*] Packet on interface fxp0
[*] Packet Info
Serial: 3
Packet Time: 04/06-14:11:18.096779
Packet Bytes: 86
Captured Bytes: 86
Layers: 4
[*] Ethernet (14 bytes)
Source MAC Address: 00:00:D1:ED:8C:74
Dest MAC Address: 00:04:5A:79:43:A7
Encapsulated Protocol: IPv6
[*] Internet Protocol version 6 (40 bytes)
Version: 6
Class: 0 (0x0)
Flow Tag: 96 (0x60)
Packet Length: 32
Next Header: ipv6-icmp
Hop Limit: 255
Src Addr: fe80::200:d1ff:feed:8c74
Dst Addr: fe80::204:5aff:fe79:43a7
[*] Internet Control Message Protocol Version 6
Type: 135 (ND Neighbor Solicitation)
Code: 0
Checksum: 32787 (INVALID 0000)
[*] Payload (8 bytes)
0x0000: 01 01 00 00 D1 ED 8C 74 .......t
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[*] Packet on interface fxp0
[*] Packet Info
Serial: 4
Packet Time: 04/06-14:11:18.097203
Packet Bytes: 78
Captured Bytes: 78
Layers: 4
[*] Ethernet (14 bytes)
Source MAC Address: 00:04:5A:79:43:A7
Dest MAC Address: 00:00:D1:ED:8C:74
Encapsulated Protocol: IPv6
[*] Internet Protocol version 6 (40 bytes)
Version: 6
Class: 0 (0x0)
Flow Tag: 96 (0x60)
Packet Length: 24
Next Header: ipv6-icmp
Hop Limit: 255
Src Addr: fe80::204:5aff:fe79:43a7
Dst Addr: fe80::200:d1ff:feed:8c74
[*] Internet Control Message Protocol Version 6
Type: 136 (ND Neighbor Advertisement)
Code: 0
Checksum: 40574 (INVALID 0000)
[*] Payload (8 bytes)
0x0000: 02 04 5A FF FE 79 43 A7 ..Z..yC.
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[*] Packet on interface fxp0
[*] Packet Info
Serial: 5
Packet Time: 04/06-14:11:18.097456
Packet Bytes: 86
Captured Bytes: 86
Layers: 4
[*] Ethernet (14 bytes)
Source MAC Address: 00:04:5A:79:43:A7
Dest MAC Address: 00:00:D1:ED:8C:74
Encapsulated Protocol: IPv6
[*] Internet Protocol version 6 (40 bytes)
Version: 6
Class: 0 (0x0)
Flow Tag: 96 (0x60)
Packet Length: 32
Next Header: ipv6-icmp
Hop Limit: 255
Src Addr: fe80::204:5aff:fe79:43a7
Dst Addr: fe80::200:d1ff:feed:8c74
[*] Internet Control Message Protocol Version 6
Type: 135 (ND Neighbor Solicitation)
Code: 0
Checksum: 32787 (INVALID 0000)
[*] Payload (8 bytes)
0x0000: 01 01 00 04 5A 79 43 A7 ....ZyC.
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[*] Packet on interface fxp0
[*] Packet Info
Serial: 6
Packet Time: 04/06-14:11:18.097744
Packet Bytes: 78
Captured Bytes: 78
Layers: 4
[*] Ethernet (14 bytes)
Source MAC Address: 00:00:D1:ED:8C:74
Dest MAC Address: 00:04:5A:79:43:A7
Encapsulated Protocol: IPv6
[*] Internet Protocol version 6 (40 bytes)
Version: 6
Class: 0 (0x0)
Flow Tag: 96 (0x60)
Packet Length: 24
Next Header: ipv6-icmp
Hop Limit: 255
Src Addr: fe80::200:d1ff:feed:8c74
Dst Addr: fe80::204:5aff:fe79:43a7
[*] Internet Control Message Protocol Version 6
Type: 136 (ND Neighbor Advertisement)
Code: 0
Checksum: 24128 (INVALID 0000)
[*] Payload (8 bytes)
0x0000: 02 00 D1 FF FE ED 8C 74 .......t
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
Finally I tell Snort to shut down.
sfips.shutdown()
[*] SFIPS ACTIVE data source src2 received 6 packets on fxp0
Analyzed: 6 (100.000%)
Dropped: 0 (0.000%)
[-] Ethernet Stats:
Count: 6
[-] IPv6 Stats:
Count: 6
[-] ICMPv6 Stats:
Count: 6
Bad Csum: 6
[-] Raw Stats:
Count: 6
Bytes: 48
This is obviously only the beginning. I plan to learn more about Lua to take advantage of the power in Snort 3.0.
Tidak ada komentar:
Posting Komentar