From the.keithm at gmail.com  Tue Sep  9 13:48:14 2008
From: the.keithm at gmail.com (Keith Mitchell)
Date: Tue, 9 Sep 2008 10:48:14 -0700
Subject: [Snortsam-discussion] Possible easy fix for x86_64 twofish
	issue from ntop n2n code
In-Reply-To: <48B40381.3090108@tatarsky.com>
References: <48B37AC5.3000107@tatarsky.com>
	<1219726386.45485.9.camel@localhost> <48B40381.3090108@tatarsky.com>
Message-ID: <404239180809091048h2f106a75sb84fafaaa50e8a57@mail.gmail.com>

Alright, I'm more than a bit of a neophyte when it comes to modding c code.

Is the solution as simple as dropping the twofish code from the ntop svn
into the snortsam codebase and recompiling?

Or are there specific files that have to be patched once the code is dropped
in?

I'm VERY interested in this...

On Tue, Aug 26, 2008 at 6:22 AM, Paul Tatarsky <paul at tatarsky.com> wrote:

> >> Or at least it seems that way as I have samtool and snortsam 2.60
> >> talking I think encrypted on a x86_64 box. Compiled there as well. I
> >> need to test more but here is what I did so far.
> > Please report on your results.
>
> I recompiled snort+fwsam output plugin with a similar "drop in" approach
> of the n2n twofish.c and twofish.h and made a few mods to the
> TwoFishInit calls in the output plugin to include the length of the key.
>
> It has run cleanly all night and plenty of blocks are being issued
> (currently on this node it just reports via the email plugin what would
> be blocked and shortly it will be hooked to IPFW2).
>
> I've done no "cross platform" checks to see if I can remotely issue
> block requests to this diff'd in version from say existing 32-bit
> versions. Some shortly.
>
> > ciphertext and verify that after decryption, but that may be overkill
> > for the use of TwoFish in Snortsam. I think a quick 0-block check would
> > be sufficient.
>
> I clearly state I know nothing about if the n2n twofish mods are correct
> in terms of what they are doing ;)
>
> It looked like mostly type mods but I would advise more review by
> somebody more familiar with the code than I.
>
> > Thanks for spotting that. I'll promise I'll work on that shortly.
>
> No rush on my end. Snortsam is a great tool which we love very much. It
> has worked reliably and happily for years in a BSD IPFW and PF
> environment. I am just now performing more research into the block
> signatures we consider "safe" for our main environment (a .edu) and the
> system in question happens to be an x86_64 BSD system.
>
> Thanks for the work regardless!
>
> --
> ----------------------------------------------------------
> Paul Tatarsky                            paul at tatarsky.com
> ----------------------------------------------------------
> _______________________________________________
> Snortsam-discussion mailing list
> Snortsam-discussion at snortsam.net
> http://lists.snortsam.net/mailman/listinfo/snortsam-discussion
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.snortsam.net/pipermail/snortsam-discussion/attachments/20080909/4922bc55/attachment.html

From paul at tatarsky.com  Tue Sep  9 14:10:55 2008
From: paul at tatarsky.com (Paul Tatarsky)
Date: Tue, 09 Sep 2008 13:10:55 -0500
Subject: [Snortsam-discussion] Possible easy fix for x86_64
 twofish	issue from ntop n2n code
In-Reply-To: <404239180809091048h2f106a75sb84fafaaa50e8a57@mail.gmail.com>
References: <48B37AC5.3000107@tatarsky.com>	<1219726386.45485.9.camel@localhost>
	<48B40381.3090108@tatarsky.com>
	<404239180809091048h2f106a75sb84fafaaa50e8a57@mail.gmail.com>
Message-ID: <48C6BC2F.7000002@tatarsky.com>

> Is the solution as simple as dropping the twofish code from the ntop svn
> into the snortsam codebase and recompiling?

Not quite.

After dropping into both snort and snortsam, the main change is adding
the argument to TwoFishInit to include the keysize. The ntop n2n
TwoFishInit call includes a key length argument:

TWOFISH *TwoFishInit(const u_int8_t *userkey, u_int32_t keysize );
                                              ^^^^^^^^^^^^^^^^^

I think in snort I just modified:

src/output-plugins/spo_alert_fwsam.c

to include that. A few more places in snortsam itself.

I'll try to make a diff of the combined changes of snortsam 2.60 and
snort 2.8.3 which is what I'm pushing around this week. Give me a notch
for that as other misery is afoot.

The mods have been working but only on a single system that runs both
Snort and snortsam on the same system. I've not tried talking between
units with/without the mods yet.

-- 
----------------------------------------------------------
Paul Tatarsky                            paul at tatarsky.com
----------------------------------------------------------