[Snort-openappid] Odp: Re: created openappid website detector not working

Eyolv André Øverland eyolvoe at ...8...
Fri May 19 15:34:13 EDT 2017


Exactly who are these emails from?

Den tor. 18. mai 2017, 02.26 skrev asd asd <luckygpkt at ...153...>:

> Im not sure why mail included http code..
>
> I'm starting snort with:
> snort -g snort -u snort -c /etc/snort/snort.conf -i eth0
> I've noticed that offset was wrong, corrected it, still not detecting.
>
> As requested I've tried adding -k none -P 9000, like before no change in
> detecting.
>
> Attached pcap, appid log and partial snort log related to website address.
>
>
>
> >>
> Dnia Środa, 17 Maja 2017 18:49 Costas Kleopa (ckleopa) <ckleopa at ...52......>
> napisał(a)
> > Can you send us a pcap with this traffic?
> > What snort command line did you use. Can you also make sure you try with
> the "-k none -P 9000” so you can accept bad checksums and jumbo
> frames?
> >   ThanksCostas
> > > On May 16, 2017, at 5:29 PM, asd asd <luckygpkt at ...153...> wrote:
> > > Hello,I encountered an issue while creating openappid detector for
> website, to create detector I used appid detector builder.After creating
> few detectors using TCP with hex pattern and HTTP url neither of them is
> used while capturing packets, in logs is shown as unknown.
> > > Snort dir: /etc/snortAppID dir: /etc/snort/odp
> > > Path for preprocessor appid is configured as /etc/snortCreated *.lua
> files are in /etc/snort/odp/custom/lua
> > > Created detectors:
> > > --[[detection_name: antyweb1version: 1description: antyweb1 wants a
> better description.--]]
> > > require "DetectorCommon"local DC = DetectorCommon
> > > local proto = DC.ipproto.tcp;DetectorPackageInfo = {        name =
> "antyweb1",        proto = proto,        server = {                init =
> 'DetectorInit',                clean = 'DetectorClean',
> minimum_matches = 1        }}
> > > function DetectorInit(detectorInstance)
> > >         gDetector = detectorInstance;        gAppId =
> gDetector:open_createApp("antyweb1");
> > >         if gDetector.addPortPatternServer then
> gDetector:addPortPatternServer(proto,80,"\x48\x6f\x73\x74\x3a\x20\x61\x6e\x74\x79\x77\x65\x62\x2e\x70\x6c\x0d\x0a",54,
> gAppId);
> gDetector:addPortPatternServer(proto,443,"\x48\x6f\x73\x74\x3a\x20\x61\x6e\x74\x79\x77\x65\x62\x2e\x70\x6c\x0d\x0a",54,
> gAppId);        end
> > >         return gDetector;end
> > > function DetectorClean()end
> > > =========
> > >
> > > --[[detection_name: antyweb3version: 1description: antyweb3 wants a
> better description.--]]
> > > require "DetectorCommon"local DC = DetectorCommon
> > > local proto = DC.ipproto.tcp;DetectorPackageInfo = {        name =
> "antyweb3",        proto = proto,        server = {                init =
> 'DetectorInit',                clean = 'DetectorClean',
> minimum_matches = 1        }}
> > > function DetectorInit(detectorInstance)
> > >         gDetector = detectorInstance;        gAppId =
> gDetector:open_createApp("antyweb3");
> > >         if gDetector.addAppUrl then
> gDetector:addAppUrl(0, 0, 0, gAppId, 0, "antyweb.pl", "/", "http:", "",
> gAppId);        end
> > >         return gDetector;end
> > > function DetectorClean()end
> > > =======
> > > appid log:<ll.png>
> > > Any advice would be appreciated, Thanks.
> > >
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most engaging
> tech sites, Slashdot.org!
> http://sdm.link/slashdot_______________________________________________
> Snort-openappid mailing list Snort-openappid at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-openappid  Please
> visit http://blog.snort.org to stay current on all the latest Snort news!
> >
>
>
>
>
>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> Snort-openappid mailing list
> Snort-openappid at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-openappid
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-openappid/attachments/20170519/e7e90bb4/attachment.html>


More information about the Snort-openappid mailing list