[Snort-openappid] Odp: Re: created openappid website detector not working

asd asd luckygpkt at ...153...
Wed May 17 20:23:12 EDT 2017


Im not sure why mail included http code..

I'm starting snort with:
snort -g snort -u snort -c /etc/snort/snort.conf -i eth0
I've noticed that offset was wrong, corrected it, still not detecting.

As requested I've tried adding -k none -P 9000, like before no change in detecting.

Attached pcap, appid log and partial snort log related to website address.



>>
Dnia Środa, 17 Maja 2017 18:49 Costas Kleopa (ckleopa) <ckleopa at ...5...> napisał(a)
> Can you send us a pcap with this traffic? 
> What snort command line did you use. Can you also make sure you try with the "-k none -P 9000” so you can accept bad checksums and jumbo frames?
>   ThanksCostas
> > On May 16, 2017, at 5:29 PM, asd asd <luckygpkt at ...153...> wrote: 
> > Hello,I encountered an issue while creating openappid detector for website, to create detector I used appid detector builder.After creating few detectors using TCP with hex pattern and HTTP url neither of them is used while capturing packets, in logs is shown as unknown. 
> > Snort dir: /etc/snortAppID dir: /etc/snort/odp 
> > Path for preprocessor appid is configured as /etc/snortCreated *.lua files are in /etc/snort/odp/custom/lua 
> > Created detectors: 
> > --[[detection_name: antyweb1version: 1description: antyweb1 wants a better description.--]] 
> > require "DetectorCommon"local DC = DetectorCommon 
> > local proto = DC.ipproto.tcp;DetectorPackageInfo = {        name = "antyweb1",        proto = proto,        server = {                init = 'DetectorInit',                clean = 'DetectorClean',                minimum_matches = 1        }} 
> > function DetectorInit(detectorInstance) 
> >         gDetector = detectorInstance;        gAppId = gDetector:open_createApp("antyweb1"); 
> >         if gDetector.addPortPatternServer then                gDetector:addPortPatternServer(proto,80,"\x48\x6f\x73\x74\x3a\x20\x61\x6e\x74\x79\x77\x65\x62\x2e\x70\x6c\x0d\x0a",54, gAppId);                gDetector:addPortPatternServer(proto,443,"\x48\x6f\x73\x74\x3a\x20\x61\x6e\x74\x79\x77\x65\x62\x2e\x70\x6c\x0d\x0a",54, gAppId);        end 
> >         return gDetector;end 
> > function DetectorClean()end 
> > ========= 
> >  
> > --[[detection_name: antyweb3version: 1description: antyweb3 wants a better description.--]] 
> > require "DetectorCommon"local DC = DetectorCommon 
> > local proto = DC.ipproto.tcp;DetectorPackageInfo = {        name = "antyweb3",        proto = proto,        server = {                init = 'DetectorInit',                clean = 'DetectorClean',                minimum_matches = 1        }} 
> > function DetectorInit(detectorInstance) 
> >         gDetector = detectorInstance;        gAppId = gDetector:open_createApp("antyweb3"); 
> >         if gDetector.addAppUrl then                gDetector:addAppUrl(0, 0, 0, gAppId, 0, "antyweb.pl", "/", "http:", "", gAppId);        end 
> >         return gDetector;end 
> > function DetectorClean()end 
> > ======= 
> > appid log:<ll.png> 
> > Any advice would be appreciated, Thanks. 
> >  ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot_______________________________________________ Snort-openappid mailing list Snort-openappid at lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/snort-openappid  Please visit http://blog.snort.org to stay current on all the latest Snort news!
> 


 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: appid_log.png
Type: image/png
Size: 10425 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-openappid/attachments/20170518/bd7d4edd/attachment.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pcap.png
Type: image/png
Size: 41678 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-openappid/attachments/20170518/bd7d4edd/attachment-0001.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: snort_log.png
Type: image/png
Size: 87750 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-openappid/attachments/20170518/bd7d4edd/attachment-0002.png>


More information about the Snort-openappid mailing list