[Snortsam-discussion] Possible easy fix for x86_64 twofish issue from ntop n2n code
Keith Mitchell
the.keithm at gmail.com
Tue Sep 9 13:48:14 EDT 2008
Alright, I'm more than a bit of a neophyte when it comes to modding c code.
Is the solution as simple as dropping the twofish code from the ntop svn
into the snortsam codebase and recompiling?
Or are there specific files that have to be patched once the code is dropped
in?
I'm VERY interested in this...
On Tue, Aug 26, 2008 at 6:22 AM, Paul Tatarsky <paul at tatarsky.com> wrote:
> >> Or at least it seems that way as I have samtool and snortsam 2.60
> >> talking I think encrypted on a x86_64 box. Compiled there as well. I
> >> need to test more but here is what I did so far.
> > Please report on your results.
>
> I recompiled snort+fwsam output plugin with a similar "drop in" approach
> of the n2n twofish.c and twofish.h and made a few mods to the
> TwoFishInit calls in the output plugin to include the length of the key.
>
> It has run cleanly all night and plenty of blocks are being issued
> (currently on this node it just reports via the email plugin what would
> be blocked and shortly it will be hooked to IPFW2).
>
> I've done no "cross platform" checks to see if I can remotely issue
> block requests to this diff'd in version from say existing 32-bit
> versions. Some shortly.
>
> > ciphertext and verify that after decryption, but that may be overkill
> > for the use of TwoFish in Snortsam. I think a quick 0-block check would
> > be sufficient.
>
> I clearly state I know nothing about if the n2n twofish mods are correct
> in terms of what they are doing ;)
>
> It looked like mostly type mods but I would advise more review by
> somebody more familiar with the code than I.
>
> > Thanks for spotting that. I'll promise I'll work on that shortly.
>
> No rush on my end. Snortsam is a great tool which we love very much. It
> has worked reliably and happily for years in a BSD IPFW and PF
> environment. I am just now performing more research into the block
> signatures we consider "safe" for our main environment (a .edu) and the
> system in question happens to be an x86_64 BSD system.
>
> Thanks for the work regardless!
>
> --
> ----------------------------------------------------------
> Paul Tatarsky paul at tatarsky.com
> ----------------------------------------------------------
> _______________________________________________
> Snortsam-discussion mailing list
> Snortsam-discussion at snortsam.net
> http://lists.snortsam.net/mailman/listinfo/snortsam-discussion
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.snortsam.net/pipermail/snortsam-discussion/attachments/20080909/4922bc55/attachment.html
More information about the Snortsam-discussion
mailing list