'Re: [Snort-devel] Snort Supports SCTP'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       snort-devel
Subject:    Re: [Snort-devel] Snort Supports SCTP
From:       Joshua Kinard <kumba () gentoo ! org>
Date:       2013-05-20 17:52:01
Message-ID: 519A62C1.4010106 () gentoo ! org
[Download RAW message or body]

[Attachment #2 (multipart/signed)]

[Attachment #4 (multipart/mixed)]


On 05/20/2013 1:20 AM, Joshua Kinard wrote:
> On 05/16/2013 7:53 AM, Russ Combs wrote:
>> It is on our radar, but there are no specific plans at this point.
>>
>> On Wed, May 15, 2013 at 5:06 AM, marwane azzouzi
>> <azzouzi.marwane@hotmail.fr> wrote:
>>>
>>> Hello,
>>>
>>> My question concerns the support of the SCTP protocol by Snort in a mobile
>>> context (SIGTRAN).
>>> I see that there is no preprocessor to decode the SCTP protocol such like
>>> SIP or HTTP preprocessors...
>>> Did the team intend to develop that feature?
>>>
>>> Any information ?
>>>
>>> Thx
>>>
>>> marwane
> 
> Try the attached.  I have a strange fascination with SCTP, so back in 2011,
> I copied the Stream5 UDP code and made a very generic SCTP Stream5 module,
> as well as duplicated all the code points where UDP was parsed to parse
> SCTP.  I also added a DecodeSCTP function and various helpers to decode.c,
> and other bits that I'm not going to enumerate here.  I just updated all the
> code today to work with snort-2.9.4.6, and tested it on both IPv4 and
> IPv6-based packet captures that I managed to hunt down off of Google.
[snip]

Oops, I almost forgot to mention, I have a bunch of raw printf() statements
left over in decoder.c from debugging.  Remove those if they get too
annoying with the supplied patch (to be added after the first two).  I've
only tested this code on the handful of SCTP packet captures off of Google,
as I do not have a real SCTP setup to generate live traffic.


-- 
Joshua Kinard
Gentoo/MIPS
kumba@gentoo.org
4096R/D25D95E3 2011-03-28

"The past tempts us, the present confuses us, the future frightens us.  And
our lives slip away, moment by moment, lost in that vast, terrible in-between."

--Emperor Turhan, Centauri Republic

["snort-2946-sctp-kill-debugging.patch" (text/plain)]

diff --git a/src/decode.c b/src/decode.c
index 8aac65b..9d7bbb2 100644
--- a/src/decode.c
+++ b/src/decode.c
@@ -3105,7 +3105,6 @@ void SctpChunkTests(Packet *p, const SctpChunk *sctp_chunk)
     {
         /* DATA Chunk */
         case SCTP_DATA_C:
-            printf("DEBUG: Got DATA chunk!\n");
             CHECK_CHUNK_LENGTH(DATA, SCTP_DATA_C_LEN)
 
             /*
@@ -3130,7 +3129,6 @@ void SctpChunkTests(Packet *p, const SctpChunk *sctp_chunk)
 
         /* INIT Chunk */
         case SCTP_INIT_C:
-            printf("DEBUG: Got INIT chunk!\n");
             CHECK_CHUNK_LENGTH(INIT, SCTP_INIT_C_LEN)
             CHECK_CHUNK_FLAGS_ARE_ZERO(INIT)
 
@@ -3173,7 +3171,6 @@ void SctpChunkTests(Packet *p, const SctpChunk *sctp_chunk)
 
         /* INIT ACK Chunk */
         case SCTP_INIT_ACK_C:
-            printf("DEBUG: Got INIT_ACK chunk!\n");
             CHECK_CHUNK_LENGTH(INIT_ACK, SCTP_INIT_ACK_C_LEN)
             CHECK_CHUNK_FLAGS_ARE_ZERO(INIT_ACK)
 
@@ -3208,7 +3205,6 @@ void SctpChunkTests(Packet *p, const SctpChunk *sctp_chunk)
 
         /* SACK Chunk */
         case SCTP_SACK_C:
-            printf("DEBUG: Got SACK chunk!\n");
             CHECK_CHUNK_LENGTH(SACK, SCTP_SACK_C_LEN)
             CHECK_CHUNK_FLAGS_ARE_ZERO(SACK)
 
@@ -3216,7 +3212,6 @@ void SctpChunkTests(Packet *p, const SctpChunk *sctp_chunk)
 
         /* HEARTBEAT Chunk */
         case SCTP_HEARTBEAT_C:
-            printf("DEBUG: Got HEARTBEAT chunk!\n");
             CHECK_CHUNK_LENGTH(HEARTBEAT, SCTP_HEARTBEAT_C_LEN)
             CHECK_CHUNK_FLAGS_ARE_ZERO(HEARTBEAT)
 
@@ -3224,7 +3219,6 @@ void SctpChunkTests(Packet *p, const SctpChunk *sctp_chunk)
 
         /* HEARTBEAT_ACK Chunk */
         case SCTP_HEARTBEAT_ACK_C:
-            printf("DEBUG: Got HEARTBEAT_ACK chunk!\n");
             CHECK_CHUNK_LENGTH(HEARTBEAT_ACK, SCTP_HEARTBEAT_ACK_C_LEN)
             CHECK_CHUNK_FLAGS_ARE_ZERO(HEARTBEAT_ACK)
 
@@ -3232,7 +3226,6 @@ void SctpChunkTests(Packet *p, const SctpChunk *sctp_chunk)
 
         /* ABORT Chunk */
         case SCTP_ABORT_C:
-            printf("DEBUG: Got ABORT chunk!\n");
             CHECK_CHUNK_LENGTH(ABORT, SCTP_ABORT_C_LEN)
 
             /* Make sure the ABORT chunk's reserved area in flags is 0. */
@@ -3250,7 +3243,6 @@ void SctpChunkTests(Packet *p, const SctpChunk *sctp_chunk)
 
         /* SHUTDOWN Chunk */
         case SCTP_SHUTDOWN_C:
-            printf("DEBUG: Got SHUTDOWN chunk!\n");
             CHECK_CHUNK_LENGTH(SHUTDOWN, SCTP_SHUTDOWN_C_LEN)
             CHECK_CHUNK_FLAGS_ARE_ZERO(SHUTDOWN)
 
@@ -3258,7 +3250,6 @@ void SctpChunkTests(Packet *p, const SctpChunk *sctp_chunk)
 
         /* SHUTDOWN_ACK Chunk */
         case SCTP_SHUTDOWN_ACK_C:
-            printf("DEBUG: Got SHUTDOWN_ACK chunk!\n");
             CHECK_CHUNK_LENGTH(SHUTDOWN_ACK, SCTP_SHUTDOWN_ACK_C_LEN)
             CHECK_CHUNK_FLAGS_ARE_ZERO(SHUTDOWN_ACK)
 
@@ -3266,7 +3257,6 @@ void SctpChunkTests(Packet *p, const SctpChunk *sctp_chunk)
 
         /* ERROR Chunk */
         case SCTP_ERROR_C:
-            printf("DEBUG: Got ERROR chunk!\n");
             CHECK_CHUNK_LENGTH(ERROR, SCTP_ERROR_C_LEN)
             CHECK_CHUNK_FLAGS_ARE_ZERO(ERROR)
 
@@ -3276,7 +3266,6 @@ void SctpChunkTests(Packet *p, const SctpChunk *sctp_chunk)
 
         /* COOKIE_ECHO Chunk */
         case SCTP_COOKIE_ECHO_C:
-            printf("DEBUG: Got COOKIE_ECHO chunk!\n");
             CHECK_CHUNK_LENGTH(COOKIE_ECHO, SCTP_COOKIE_ECHO_C_LEN)
             CHECK_CHUNK_FLAGS_ARE_ZERO(COOKIE_ECHO)
 
@@ -3284,7 +3273,6 @@ void SctpChunkTests(Packet *p, const SctpChunk *sctp_chunk)
 
         /* COOKIE_ACK Chunk */
         case SCTP_COOKIE_ACK_C:
-            printf("DEBUG: Got COOKIE_ACK chunk!\n");
             CHECK_CHUNK_LENGTH(COOKIE_ACK, SCTP_COOKIE_ACK_C_LEN)
             CHECK_CHUNK_FLAGS_ARE_ZERO(COOKIE_ACK)
 
@@ -3292,7 +3280,6 @@ void SctpChunkTests(Packet *p, const SctpChunk *sctp_chunk)
 
         /* ECNE Chunk */
         case SCTP_ECNE_C:
-            printf("DEBUG: Got ECNE chunk!\n");
             CHECK_CHUNK_LENGTH(ECNE, SCTP_ECNE_C_LEN)
             CHECK_CHUNK_FLAGS_ARE_ZERO(ECNE)
 
@@ -3300,7 +3287,6 @@ void SctpChunkTests(Packet *p, const SctpChunk *sctp_chunk)
 
         /* CWR Chunk */
         case SCTP_CWR_C:
-            printf("DEBUG: Got CWR chunk!\n");
             CHECK_CHUNK_LENGTH(CWR, SCTP_CWR_C_LEN)
             CHECK_CHUNK_FLAGS_ARE_ZERO(CWR)
 
@@ -3308,7 +3294,6 @@ void SctpChunkTests(Packet *p, const SctpChunk *sctp_chunk)
 
         /* SHUTDOWN_COMPLETE Chunk */
         case SCTP_SHUTDOWN_COMPLETE_C:
-            printf("DEBUG: Got SHUTDOWN_COMPLETE chunk!\n");
             CHECK_CHUNK_LENGTH(SHUTDOWN_COMPLETE, SCTP_SHUTDOWN_COMPLETE_C_LEN)
 
             /* Make sure the SHUTDOWN_COMPLETE chunk's reserved area in flags is 0. */
@@ -3323,7 +3308,6 @@ void SctpChunkTests(Packet *p, const SctpChunk *sctp_chunk)
 
         /* AUTH Chunk */
         case SCTP_AUTH_C:
-            printf("DEBUG: Got AUTH chunk!\n");
             CHECK_CHUNK_LENGTH(AUTH, SCTP_AUTH_C_LEN)
             CHECK_CHUNK_FLAGS_ARE_ZERO(AUTH)
 
@@ -3331,7 +3315,6 @@ void SctpChunkTests(Packet *p, const SctpChunk *sctp_chunk)
 
         /* ASCONF_ACK Chunk */
         case SCTP_ASCONF_ACK_C:
-            printf("DEBUG: Got ASCONF_ACK chunk!\n");
             CHECK_CHUNK_LENGTH(ASCONF_ACK, SCTP_ASCONF_ACK_C_LEN)
             CHECK_CHUNK_FLAGS_ARE_ZERO(ASCONF_ACK)
 
@@ -3339,7 +3322,6 @@ void SctpChunkTests(Packet *p, const SctpChunk *sctp_chunk)
 
         /* PKTDROP Chunk */
         case SCTP_PKTDROP_C:
-            printf("DEBUG: Got PKTDROP chunk!\n");
             CHECK_CHUNK_LENGTH(PKTDROP, SCTP_PKTDROP_C_LEN)
 
             /* Make sure the PKTDROP chunk's reserved area in flags is 0. */
@@ -3361,7 +3343,6 @@ void SctpChunkTests(Packet *p, const SctpChunk *sctp_chunk)
 
         /* RE-CONFIG Chunk */
         case SCTP_RECONFIG_C:
-            printf("DEBUG: Got RE-CONFIG chunk!\n");
             CHECK_CHUNK_LENGTH(RECONFIG, SCTP_RECONFIG_C_LEN)
             CHECK_CHUNK_FLAGS_ARE_ZERO(RECONFIG)
 
@@ -3369,7 +3350,6 @@ void SctpChunkTests(Packet *p, const SctpChunk *sctp_chunk)
 
         /* PAD Chunk */
         case SCTP_PAD_C:
-            printf("DEBUG: Got PAD chunk!\n");
             CHECK_CHUNK_LENGTH(PAD, SCTP_PAD_C_LEN)
             CHECK_CHUNK_FLAGS_ARE_ZERO(PAD)
 
@@ -3377,7 +3357,6 @@ void SctpChunkTests(Packet *p, const SctpChunk *sctp_chunk)
 
         /* FORWARD_TSN Chunk */
         case SCTP_FORWARD_TSN_C:
-            printf("DEBUG: Got FORWARD_TSN chunk!\n");
             CHECK_CHUNK_LENGTH(FORWARD_TSN, SCTP_FORWARD_TSN_C_LEN)
             CHECK_CHUNK_FLAGS_ARE_ZERO(FORWARD_TSN)
 
@@ -3385,7 +3364,6 @@ void SctpChunkTests(Packet *p, const SctpChunk *sctp_chunk)
 
         /* ASCONF Chunk */
         case SCTP_ASCONF_C:
-            printf("DEBUG: Got ASCONF chunk!\n");
             CHECK_CHUNK_LENGTH(ASCONF, SCTP_ASCONF_C_LEN)
             CHECK_CHUNK_FLAGS_ARE_ZERO(ASCONF)
 

["signature.asc" (application/pgp-signature)]

------------------------------------------------------------------------------
AlienVault Unified Security Management (USM) platform delivers complete
security visibility with the essential security capabilities. Easily and
efficiently configure, manage, and operate all of your security controls
from a single console and one unified framework. Download a free trial.
http://p.sf.net/sfu/alienvault_d2d

_______________________________________________
Snort-devel mailing list
Snort-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic