[Snort-openappid] Rules to detect flows?

Costas Kleopa (ckleopa) ckleopa at ...5...
Mon Nov 3 11:19:23 EST 2014

The flags option you have us has a few small errors.  Note the * in our rule example.  Otherwise your approach looks ok.
If you add flowbits:noalert; to this start rule, you won't get events for that.

alert tcp any any -> any any (msg:”ssh”; appid: ssh; flags:*FR; flowbits:isnotset,fr; flowbits:set,fr; sid:1000000; rev:1)

Let us know if this works better.


From: "dpifun at ...43...<mailto:dpifun at ...43...>" <dpifun at ...43...<mailto:dpifun at ...43...>>
Date: Sunday, November 2, 2014 at 1:49 PM
To: ckleopa <ckleopa at ...5...<mailto:ckleopa at ...5...>>
Subject: Re: [Snort-openappid] Rules to detect flows?


I played around with the rules a bit more today. As I mentioned earlier, a simple SSH connection rule:

                 alert tcp any any -> any any (msg:”ssh”; appid: ssh openssh; sid:1000000; rev:1)

produces a LARGE number of alerts on a single SSH connection.

In trying to play around with flowbits, I have these rules:

                 alert tcp any any -> any any (msg:”ssh start”; flowbits: isnotset, ssh; flowbits: set, ssh; appid: ssh; sid:1000000; rev:1)

                 alert tcp any any -> any any (msg:"ssh finish"; flags: F; flowbits: isset, ssh; flowbits: unset, ssh; sid: 1000001; rev: 1)

The idea here was to set the ssh flowbit when the flow is seen and issue an alert. Then, when the connection is closed to send a final alert.

With those rules, I do get two alerts. But, they're both "ssh start" alerts shown below:

[**] [1:1000000:1] ”ssh start” [**]

[Priority: 0]

11/02-10:36:52.245181 ->

TCP TTL:64 TOS:0x0 ID:4853 IpLen:20 DgmLen:548 DF

***AP*** Seq: 0x2B086E0B  Ack: 0x155A71B3  Win: 0x7210  TcpLen: 20

[**] [1:1000000:1] ”ssh start” [**]

[Priority: 0]

11/02-10:36:59.628815 ->

TCP TTL:64 TOS:0x10 ID:28775 IpLen:20 DgmLen:40 DF

***A**** Seq: 0x2B087800  Ack: 0x155A83BC  Win: 0xA3F0  TcpLen: 20

My configuration is exactly like the tutorials on Ubuntu 14.04 running 2.9.7 with the latest rules and OpenAppID drop. I start snort with the following command:

              snort -c /etc/snort/snort.conf --daq afpacket -i eth0 -k none

All we're trying to do is get an alert when a SSH connection starts and when it ends.

I'm sure that the problem is that we just don't understand the Snort rule language well enough yet.


Sent using Hushmail

On 11/1/2014 at 8:19 PM, "Costas Kleopa (ckleopa)" <ckleopa at ...5...<mailto:ckleopa at ...5...>> wrote:
With the alerts that should at least  give you the end of the connection. For AppID, we won't know what the application is from the first Syn packet since we need a deeper inspection to find the application so we would only provide the alert when the connection ends.

If you are seeing more alerts even in a per TCP session then please send us the rules you are using, the configuration and some of the log output of the alert results and we will investigate it internally.


On Nov 1, 2014, at 8:01 PM, "dpifun at ...43..." <dpifun at ...43...> wrote:


Thanks for the quick reply! What about a rule to get the start/end of a connection for ssh?

Originally, we thought we could use the Syn and Fin flags along with flowbits. That didn't work though.


Sent using Hushmail

On 11/1/2014 at 7:58 PM, "Costas Kleopa (ckleopa)" <ckleopa at ...5...> wrote:
Unfortunately, providing the received and send bytes per connection in the alerts is something that is not supported in this release, and we have also noted it in our roadmap for this feature.

The only way you can get the received/send bytes per AppID is on a per timed interval through the use of the app-stats logs.


On Nov 1, 2014, at 7:47 PM, "dpifun at ...43..." <dpifun at ...43...> wrote:

We're trying to detect apps with rules to get the IP, port pair. But, we've run into a snag.

A simple rule for detecting SSH connections regardless of the port:

alert tcp any any -> any any (msg:”ssh”; appid: ssh openssh; sid:1000000; rev:1)

This rule, however, creates a huge number of alerts for a single SSH connection.  While we're not snort rule experts, using flowbits seems to be the way. But, we're a bit lost on how to get  ONLY an alert at the beginning of an SSH connection and at the end. It would be cool if we could get the number of bytes sent/received for the connection but that seems impossible.

We tried using the S and F flags without success.

Any help appreciated!

Snort-openappid mailing list
Snort-openappid at lists.sourceforge.net

Please visit http://blog.snort.org to stay current on all the latest Snort news!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-openappid/attachments/20141103/e9c4eb0b/attachment.html>

More information about the Snort-openappid mailing list