From paul at tatarsky.com Mon Aug 25 23:38:45 2008 From: paul at tatarsky.com (Paul Tatarsky) Date: Mon, 25 Aug 2008 22:38:45 -0500 Subject: [Snortsam-discussion] Possible easy fix for x86_64 twofish issue from ntop n2n code Message-ID: <48B37AC5.3000107@tatarsky.com> I didn't see this as being fixed yet. If I missed it, my apologies. I have a few x86_64 systems with snortsam needs and I Googled around tonight and noted that the ntop folks may have fixed the twofish.c code for 64-bit portability as part of their n2n project. Or at least it seems that way as I have samtool and snortsam 2.60 talking I think encrypted on a x86_64 box. Compiled there as well. I need to test more but here is what I did so far. I'm not much of a coder, but I've hacked into snortsam and samtool these files and a couple of mods to the TwoFishInit code in the 2.60 release. The files I borrowed were from the n2n part of ntop located here: http://www.ntop.org/n2n/ svn co https://svn.ntop.org/svn/ntop/trunk/n2n (which is an interesting looking animal on a few non-related levels) There is a modded Snortsam twofish.c and twofish.h in there. Basically looks like a lot of u_int8_t mods. Then you need to add basically a strlen(keysize) to lots of TwoFishInit calls or do something more intelligent. This matches the n2n version of TwoFishInit. I made several mods like this in the various snortsam items that call TwoFishInit. station->stationfish=TwoFishInit(station->stationkey,strlen(station->stationkey)); I suppose you could re-mod his TwoFishInit code. I'm testing with the Snort plugin shortly, but I was able to get a block via samtool on an amd64 FreeBSD box. Hope that helps others. I probably didn't explain it real well, so I'll try to write it up if I don't make any sense and I get it to work with the Snort plugin. -- ---------------------------------------------------------- Paul Tatarsky paul at tatarsky.com ---------------------------------------------------------- From frank at snortsam.net Tue Aug 26 00:53:06 2008 From: frank at snortsam.net (Frank Knobbe) Date: Mon, 25 Aug 2008 23:53:06 -0500 Subject: [Snortsam-discussion] Possible easy fix for x86_64 twofish issue from ntop n2n code In-Reply-To: <48B37AC5.3000107@tatarsky.com> References: <48B37AC5.3000107@tatarsky.com> Message-ID: <1219726386.45485.9.camel@localhost> On Mon, 2008-08-25 at 22:38 -0500, Paul Tatarsky wrote: > I didn't see this as being fixed yet. If I missed it, my apologies. Nope, hasn't yet, you didn't miss a thing :) > I have a few x86_64 systems with snortsam needs and I Googled around > tonight and noted that the ntop folks may have fixed the twofish.c code > for 64-bit portability as part of their n2n project. Cool! I look at the code again soon. I got some spare time coming up next week and will investigate. > Or at least it seems that way as I have samtool and snortsam 2.60 > talking I think encrypted on a x86_64 box. Compiled there as well. I > need to test more but here is what I did so far. Please report on your results. > I suppose you could re-mod his TwoFishInit code. Yeah, I'll take a look and check out what they modded, and implement that in my version. Also still on the to-do from years ago is a better check for successful decryption by adding a trailing 0-block to the encryption and verifying at decryption time that the last block is indeed all 0 to ensure that no bit-twiddling occurred somewhere before then. The better way would be to add a hash of the plaintext to the ciphertext and verify that after decryption, but that may be overkill for the use of TwoFish in Snortsam. I think a quick 0-block check would be sufficient. Thanks for spotting that. I'll promise I'll work on that shortly. Cheers, Frank From paul at tatarsky.com Tue Aug 26 09:22:09 2008 From: paul at tatarsky.com (Paul Tatarsky) Date: Tue, 26 Aug 2008 08:22:09 -0500 Subject: [Snortsam-discussion] Possible easy fix for x86_64 twofish issue from ntop n2n code In-Reply-To: <1219726386.45485.9.camel@localhost> References: <48B37AC5.3000107@tatarsky.com> <1219726386.45485.9.camel@localhost> Message-ID: <48B40381.3090108@tatarsky.com> >> Or at least it seems that way as I have samtool and snortsam 2.60 >> talking I think encrypted on a x86_64 box. Compiled there as well. I >> need to test more but here is what I did so far. > Please report on your results. I recompiled snort+fwsam output plugin with a similar "drop in" approach of the n2n twofish.c and twofish.h and made a few mods to the TwoFishInit calls in the output plugin to include the length of the key. It has run cleanly all night and plenty of blocks are being issued (currently on this node it just reports via the email plugin what would be blocked and shortly it will be hooked to IPFW2). I've done no "cross platform" checks to see if I can remotely issue block requests to this diff'd in version from say existing 32-bit versions. Some shortly. > ciphertext and verify that after decryption, but that may be overkill > for the use of TwoFish in Snortsam. I think a quick 0-block check would > be sufficient. I clearly state I know nothing about if the n2n twofish mods are correct in terms of what they are doing ;) It looked like mostly type mods but I would advise more review by somebody more familiar with the code than I. > Thanks for spotting that. I'll promise I'll work on that shortly. No rush on my end. Snortsam is a great tool which we love very much. It has worked reliably and happily for years in a BSD IPFW and PF environment. I am just now performing more research into the block signatures we consider "safe" for our main environment (a .edu) and the system in question happens to be an x86_64 BSD system. Thanks for the work regardless! -- ---------------------------------------------------------- Paul Tatarsky paul at tatarsky.com ---------------------------------------------------------- From Chris.McLeod at cityofthornton.net Thu Aug 14 12:57:42 2008 From: Chris.McLeod at cityofthornton.net (Chris McLeod) Date: Thu, 14 Aug 2008 16:57:42 -0000 Subject: [Snortsam-discussion] ISA 2004/2006 Plugins Message-ID: All I was perusing the archives of this list and found an post describing success using the snort-sam plugin for ISA 2004/2006. I am interested in getting any information I can about this (I believe .dll's and a readme were mentioned). The poster was Mark Clift and the entire email is listed below. Thanks in advance, Chris McLeod Network Services Manager City of Thornton 9500 Civic Center Drive (303) 538-7633 Hello All, It has been a long time since I have posted to this list but I have been watching for any question regarding the ISA 2004/2006 plugin. I have in the past worked on the ISA 2004 plug and wanted to give an update on it. The plugin I see is part of the current CVS 2.54 and I am happy to report that it still compiles without issue and the code is compatible with ISA 2006. All that is needed is to use the proper DLL when making. I have several Snort 2.8.0.2 compiled and running on several windows based IDSs (I know most probably cringe) communicating with SnortSam on both ISA 2004 and 2006 firewalls utilizing the latest CVS 2.54 build. Speaking of the public CVS the 2.54 version has a small typo in the file supporting ISA 2000 - ssp_isa.cpp. The path to the contrib folder has the path to the 2004 contrib subfolder path instead of the needed 2000 contrib folder path. Line 47 reads - #import "..\\contrib\\isa2004\\msfpccom.dll" no_namespace Should read - #import "..\\contrib\\isa2000\\msfpccom.dll" no_namespace I have some DLLs and built binaries and more importantly a README for the plugin I would like to share with the project. The current code remains the same (except adding an additional line for the 2006 contrib folder path) so no changes there. If Matt or Frank could let me know more about how to get those to you please let me know. I will continue to watch the list in case someone is interested in using the plugin and needs help. Thank you. Best Regards, Mark P. Clift 716.447.7000 office 716.332.0060 direct mark.clift at usitek.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.snortsam.net/pipermail/snortsam-discussion/attachments/20080814/8f5cb087/attachment.html