Re: [Snort-users] Smb output
This is a discussion on Re: [Snort-users] Smb output within the Snort forums, part of the System Security and Security Related category; --=-hfyZm7pKmLuup56i3rZl Content-Type: text/plain Content-Transfer-Encoding: quoted-printable On Wed, 2004-07-21 at 17:13, Michael Sconzo ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
07-22-2004
|
|||
|
|||
Re: [Snort-users] Smb output
--=-hfyZm7pKmLuup56i3rZl Content-Type: text/plain Content-Transfer-Encoding: quoted-printable On Wed, 2004-07-21 at 17:13, Michael Sconzo wrote: > > As I said, looks like the output plugin could be optimized where the > > admin supplies not only the IP address but also the NetBIOS name of > the > > system to be contacted. All Snort would need to do is populate a UDP > > packet and throw it on the wire (without calling smbclient). >=20 > Ok, if you re-wrote smbclient (or at least the part that does the > WinPopUp stuff), No, no. I'm saying don't use smbclient at all. Have Snort populate a UDP packet and send it out.=20 > But > then you need to get the NetBIOS name out of something etc As I said, have that specified in snort.conf. Then again, is it really needed? Look at the Windows spam pop-ups from the Internet. They only use an IP addresses, no NetBIOS name. Matter the fact, such a spam packet (perhaps one that is logged by Snort itself), could be used as a blue print for an improved SMB alert packet. > ... and > calling the external programs via a script or something=20 Again, no external programs involved. Snort will, just like with the TCP reset packets, assemble and send its own packet. No call to external programs. > Then that gets into duplicating work etc ... but if you or somebody > else does it, I wouldn't complain either, and would probably use it. Heh... I don't even have much time at the moment to work on Snortsam. :( And since I don't use the SMB alert, there is no incentive for me either. Speaking of Snortsam, I'm doing something very similar there. The OPSEC plugin calls the OPSEC library routines. However, I also have my own routine that populates an OPSEC like packet and sends it out. Matter the fact, this fwsam plugin was there first, derived from packet captures and an afternoon reverse engineering the OPSEC packet format. It is much faster than the official OPSEC library. Anyhow... my point is that the alert itself is just a single UDP packet. Snort can send one itself without having to do all sorts of stuff like resolving NetBIOS names and calling executables like smbclient. Another advantage of not depending on smbclient is that it would work on any platform, even Windows. Cheers, Frank --=-hfyZm7pKmLuup56i3rZl Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (FreeBSD) iD8DBQBA/vDeJjGc5ftAw8wRAqTjAKCwEux48d/zPL2NYoDpQR+qyx2CsQCfU+NR QAk7/NVTN+p7b0CddmvGVC0= =y//d -----END PGP SIGNATURE----- --=-hfyZm7pKmLuup56i3rZl-- ------------------------------------------------------- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click _______________________________________________ Snort-users mailing list Snort-users@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/...fo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.p...st=snort-users 
|
Linear Mode
