What is a Snort Preprocessor?

Preprocessors are pluggable components of Snort, introduced since version 1.5. They're "located" just after the module of protocol analysis and before the detection engine and do not depend of rules. They are called whenever a packet arrives, but JUST ONCE, the detection plugins, in the other hand, do depend of rules and may be applied many times for a single packet. SPP's can be used in different ways: They can look for an specific behavior(portscan, flowportscan), to be support for further analysis like flow, or just collect certain information, like perfmonitor.

the frag3 preprocess in snort

why need the frag3 preprocessor?
frag3 preprocessor is a target-based analysis.
The term “target-based” is to identify an intelligent IDS that is informed about hosts residing on the network and is capable of analyzing traffic sent to those hosts as the host itself analyzes the traffic.
It improve the accuracy of the IDS.

for example:


How to use frag3 preprocessor in snort.conf?


like:
preprocessor frag3_engine: policy first, bind_to 10.4.10.0/24

Now any overlapping fragments that Snort sees destined for subnet 10.4.1.x are reassembled using the “first”
fragmentation policy, so that Snort reassembles fragments destined to those hosts in precisely the same way as the
Windows hosts themselves.

snort rule for MS08-067

alert tcp any any -> any 445 (msg:"MS08067 RPC exploit"; content:"|2e 00 5c 00 5c|";offset:140; content:"|00 5c 00 2e 00 2e 00 5c 00 2e 00 2e 00 5c 00|"; within:20;metadata:service RPC; classtype:bad-unknown; sid:9000015; rev:1;)




it works!

Snort with Ossim-agent

Ossim agent cannot support new snort-2.8 with the 2.6.1-ossim.patch file；although the patching works well;

when using patched snort-2.8 to generate the Unified log,that Ossim agent will stop analyse it。Maybe there are some incompatible;

When I use snort-2.6.1 with 2.6.1-ossim.patch , It works well。

snort DCE/RPC Preprocessor Buffer Overflow攻击测试

针对snort 2.6.1 DCE/RPC Preprocessor Buffer Overflow的攻击代码已经出现一阵子。
今天有时间拿来试验一下

首先在http://www.milw0rm.com/exploits/3362上有代码。
从说明可以得知，该代码Scapy。
scapy可以到http://www.secdev.org/projects/scapy/去下载，由于我对python不熟悉，因此只是摸索的去用。scapy功能非常强大，但是需要良好的python功底。看来学好shell后，是要好好学学perl或者python了。

将scapy.py下载到/tmp/目录下，同时将exploit的代码保存为snort-Dos.py，也放在/tmp目录下,该机器的ip地址为10.1.5.161。

我在先前在10.1.5.101这台机器上搭建过一个snort+BASE+apache+mysql的环境，但是由于感觉BASE有些麻烦，因此在这次试验时，配置/etc/snort/snort.conf
在output database: log, mysql, user=snort password=snort dbname=snort host=localhost这行前将先前的配置前加#(注释掉)
让snort产生的日志只写入到/var/log/snort/alert中

1. 首先在安装snort的主机上开启snort:
[root@snort ~]# snort -d -c /etc/snort/snort.conf -i eth0
2.再在snort主机上开启一个终端，使用
[root@snort ~]# tail -f /var/log/snort/alert
来监控snort新产生的日志。
3.在10.1.5.161这台设备上先扫描进行测试：
[root@attacker ~]#nmap -sS 10.1.5.101
4. snort主机上的，
[root@snort ~]# tail -f /var/log/snort/alert 产生更新，证实snort正常生效。
[code]
[**] [1:469:4] ICMP PING NMAP [**]
[Classification: Attempted Information Leak] [Priority: 2]
03/03-23:19:57.184828 10.1.5.161 -> 10.1.5.101
ICMP TTL:47 TOS:0×0 ID:35824 IpLen:20 DgmLen:28
Type:8 Code:0 ID:21771 Seq:57182 ECHO
[Xref => http://www.whitehats.com/info/IDS162]
…….[/code]
5.使用攻击代码：
[root@attacker /tmp]#./snort-Dos.py 10.1.5.101

尝试N遍。在nmap -sS 10.1.5.101
再在snort查看log，依然有正常日志产生，并没有像代码描述中所说–snort会crash掉。
6.尝试其他可能性。
由于snort是linux主机，并没有tcp的139端口，猜想会不会是这个原因。
然后开启新的终端在[root@snort ~]#nc -l -p 139，再进行尝试依然没有成功crash。
7.在snort主机上开启tcpdump -i eth0 not port 22 and host 10.1.5.101 -s 0 -w snort-Dos.cap，然后使用ethereal查看数据包格式，发现并没什么异常的地方。

希望有crash经验的人能帮我分析一下是什么原因，以让我将这片试验文档写完。thanks