Back


Quick and Simple example of using streams in Snort 1.9
Implemented as a Preprocessor

Introduction

For a recent project it became necessisary to look into the first 20 packets of TCP connections to and from a given port. While fulfilling this basic idea with tcpdump would not be a problem, the tool (tcpdump) fails to provide a stateful mechanism to stop recording packets after a given volume. The new stream and session functionality provided by the 1.9 version of Snort does the trick perfectly.


Details

The new streams functionality works via a series of interlocking data structures. In this case we see in the Packet type data struct there is a pointer to the tcp session tracking info (void *ssnptr).

This ssnptr is a pointer to the Session data structure (from decode.h):

typedef struct _Session
{
ubi_trNode Node; /* Record keeper for the ubx stuff */

Stream server;
Stream client;

u_int32_t start_time; /* unix second the session started */
u_int32_t last_session_time; /* last time this session got a packet */

u_int32_t session_flags; /* special little flags we keep */

u_int8_t flush_point;
u_int8_t ttl; /* track the ttl of this current session ( only done on client side ) */
} Session;

In this case, what we are interested in are the Stream structures. To get to this information, just reference the address provided by the Session structure and begin crunching. The Stream structure looks like:

typedef struct _Stream
{
u_int32_t ip; /* IP addr */
u_int16_t port; /* port number */
u_int8_t state; /* stream state */
u_int32_t isn; /* initial sequence number */
u_int32_t current_seq; /* current sequence number */
u_int32_t base_seq; /* base seq num for this packet set */
u_int32_t last_ack; /* last segment ack'd */
u_int16_t win_size; /* window size */
u_int32_t next_seq; /* next sequence we expect to see -- used on reassemble */
u_int32_t pkts_sent; /* track the number of packets in this stream */
u_int32_t bytes_sent; /* track the number of bytes in this stream */

ubi_trRoot data;
ubi_trRootPtr dataPtr;
} Stream;

Example Code

The sample program may be found here and may be compiled in and referenced like any other preprocessor. For an idea of how to do this, look at installing the spp_dns_session preprocessor on snort version 1.9.x .

Back
Hosted by www.Geocities.ws

1