Wednesday, March 7, 2012

Satori - update 0.7.3 and most dll's recompiled

I'm busy taking the SANS 503 IDS course, one of the things we do in that course is look at BPF style filters. Low and behold, I use these in Satori to do some prefiltering of packets before Satori hashes through them. While I have complete confidence in my coding skills (brief pause as I control the hysterical laughing fit I've found myself in), it never hurts to preprocess the packets before I get them.

History on the filters, we'll look at the TCP fingerprinting one:

Noticed vlan tagged traffic wasn't being picked up so, up until yesterday:
'tcp or vlan'

Yesterday first change:
'tcp or (vlan and tcp)' - decent update, meant only vlan traffic that was also tcp got sent to me, but wait, we only want TCP traffic with options, so...

'tcp[12] > 50 or (vlan and tcp[12] > 50)'

So now, instead of having to process all tcp traffic with Satori, winpcap only sends this dll tcp traffic that has tcp options!

Other protocols still read the whole tcp packet, or the whole packet for that matter, but now tcp processing should be a little quicker as I don't have to dig through the packet to see if it is tcp with options, I let winpcap do it. I still check to see if there are options on it and don't assume all is good, but I limit the initial packets that I have to process!

Ok, other updates besides BPF stuff....

Satori 0.7.3 released. Wanted a new .zip file as the last one was 0.7.1 and that was from quite awhile ago. 0.7.2 .exe was released 1.5 years ago! One thing I recently noticed with the update of the oui.txt file is that Satori reads it, but doesn't pick up any new changes in it unless I recompile the .exe. No idea why, on my list to fix some day.

Also released the SIP dll and profile. I wrote these back in 2010 and evidently never released them to the public. Which reminds me, I should probably upload the .xml file that goes with that also which means updating the .zip file that will be missing it also. Oh well, 5 more mins of my life.

Enjoy the updates, let me know if I broke anything as I haven't had a ton of testing time with the new changes as I'm supposed to be studying for SANS 503 stuff right now!

Oh last note, figured out some interesting "glitches" with the vlan tag and BPF, will try to do a different post once I verify it all and get some feed back.

No comments: