[Snort-openappid] created openappid website detector not working

Costas Kleopa (ckleopa) ckleopa at ...5...
Wed May 17 12:49:07 EDT 2017


Can you send us a pcap with this traffic?

What snort command line did you use. Can you also make sure you try with the "-k none -P 9000” so you can accept bad checksums and jumbo frames?

Thanks
Costas

On May 16, 2017, at 5:29 PM, asd asd <luckygpkt at ...153...<mailto:luckygpkt at ...153...>> wrote:




Hello,
I encountered an issue while creating openappid detector for website, to create detector I used appid detector builder.
After creating few detectors using TCP with hex pattern and HTTP url neither of them is used while capturing packets, in logs is shown as unknown.



Snort dir: /etc/snort
AppID dir: /etc/snort/odp



Path for preprocessor appid is configured as /etc/snort
Created *.lua files are in /etc/snort/odp/custom/lua



Created detectors:



--[[
detection_name: antyweb1
version: 1
description: antyweb1 wants a better description.
--]]



require "DetectorCommon"
local DC = DetectorCommon



local proto = DC.ipproto.tcp;
DetectorPackageInfo = {
        name = "antyweb1",
        proto = proto,
        server = {
                init = 'DetectorInit',
                clean = 'DetectorClean',
                minimum_matches = 1
        }
}



function DetectorInit(detectorInstance)



        gDetector = detectorInstance;
        gAppId = gDetector:open_createApp("antyweb1");



        if gDetector.addPortPatternServer then
                gDetector:addPortPatternServer(proto,80,"\x48\x6f\x73\x74\x3a\x20\x61\x6e\x74\x79\x77\x65\x62\x2e\x70\x6c\x0d\x0a",54, gAppId);
                gDetector:addPortPatternServer(proto,443,"\x48\x6f\x73\x74\x3a\x20\x61\x6e\x74\x79\x77\x65\x62\x2e\x70\x6c\x0d\x0a",54, gAppId);
        end



        return gDetector;
end



function DetectorClean()
end



=========





--[[
detection_name: antyweb3
version: 1
description: antyweb3 wants a better description.
--]]



require "DetectorCommon"
local DC = DetectorCommon



local proto = DC.ipproto.tcp;
DetectorPackageInfo = {
        name = "antyweb3",
        proto = proto,
        server = {
                init = 'DetectorInit',
                clean = 'DetectorClean',
                minimum_matches = 1
        }
}



function DetectorInit(detectorInstance)



        gDetector = detectorInstance;
        gAppId = gDetector:open_createApp("antyweb3");



        if gDetector.addAppUrl then
                gDetector:addAppUrl(0, 0, 0, gAppId, 0, "antyweb.pl", "/", "http:", "", gAppId);
        end



        return gDetector;
end



function DetectorClean()
end



=======



appid log:
<ll.png>



Any advice would be appreciated, Thanks.



------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org<http://slashdot.org/>! http://sdm.link/slashdot_______________________________________________
Snort-openappid mailing list
Snort-openappid at lists.sourceforge.net<mailto:Snort-openappid at lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/snort-openappid

Please visit http://blog.snort.org<http://blog.snort.org/> to stay current on all the latest Snort news!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-openappid/attachments/20170517/16698b5b/attachment.html>


More information about the Snort-openappid mailing list