[Snort-openappid] Odp: Re: Odp: Re: created openappid website detector not working

Marcin Banaś marcinjbanas at ...8...
Sun May 21 06:02:41 EDT 2017


Apologize for not introducing properly, I was in a hurry to solve this
issue.

My name is Marcin Banaś and i study network security.

I'd be grateful for any advices on how to solve my problem.

Thanks.


>>

Dnia Sobota, 20 Maja 2017 23:30 Michael Sadler <msadler at ...155...>
napisał(a)

It's relevant bro!


On Sat, May 20, 2017 at 5:29 PM asd asd <luckygpkt at ...153...> wrote:

> I study network security in Poland. Name doesn't seem relevant.
>
> Could anyone explain me why I'm unable to use my detectors? That would be
> much helpful.
>
> Thanks.
>
>
>
>
>
>
>
>
>
> Dnia Piątek, 19 Maja 2017 21:34 Eyolv André Øverland <eyolvoe at ...8...>
> napisał(a)
>
> Exactly who are these emails from?
>
> Den tor. 18. mai 2017, 02.26 skrev asd asd <luckygpkt at ...153...>:
>
>> Im not sure why mail included http code..
>>
>> I'm starting snort with:
>> snort -g snort -u snort -c /etc/snort/snort.conf -i eth0
>> I've noticed that offset was wrong, corrected it, still not detecting.
>>
>> As requested I've tried adding -k none -P 9000, like before no change in
>> detecting.
>>
>> Attached pcap, appid log and partial snort log related to website address.
>>
>>
>>
>> >>
>> Dnia Środa, 17 Maja 2017 18:49 Costas Kleopa (ckleopa) <ckleopa at ...39...5...>
>> napisał(a)
>> > Can you send us a pcap with this traffic?
>> > What snort command line did you use. Can you also make sure you try
>> with the "-k none -P 9000” so you can accept bad checksums and jumbo
>> frames?
>> >   ThanksCostas
>> > > On May 16, 2017, at 5:29 PM, asd asd <luckygpkt at ...153...> wrote:
>> > > Hello,I encountered an issue while creating openappid detector for
>> website, to create detector I used appid detector builder.After creating
>> few detectors using TCP with hex pattern and HTTP url neither of them is
>> used while capturing packets, in logs is shown as unknown.
>> > > Snort dir: /etc/snortAppID dir: /etc/snort/odp
>> > > Path for preprocessor appid is configured as /etc/snortCreated *.lua
>> files are in /etc/snort/odp/custom/lua
>> > > Created detectors:
>> > > --[[detection_name: antyweb1version: 1description: antyweb1 wants a
>> better description.--]]
>> > > require "DetectorCommon"local DC = DetectorCommon
>> > > local proto = DC.ipproto.tcp;DetectorPackageInfo = {        name =
>> "antyweb1",        proto = proto,        server = {                init =
>> 'DetectorInit',                clean = 'DetectorClean',
>> minimum_matches = 1        }}
>> > > function DetectorInit(detectorInstance)
>> > >         gDetector = detectorInstance;        gAppId =
>> gDetector:open_createApp("antyweb1");
>> > >         if gDetector.addPortPatternServer then
>> gDetector:addPortPatternServer(proto,80,"\x48\x6f\x73\x74\x3a\x20\x61\x6e\x74\x79\x77\x65\x62\x2e\x70\x6c\x0d\x0a",54,
>> gAppId);
>> gDetector:addPortPatternServer(proto,443,"\x48\x6f\x73\x74\x3a\x20\x61\x6e\x74\x79\x77\x65\x62\x2e\x70\x6c\x0d\x0a",54,
>> gAppId);        end
>> > >         return gDetector;end
>> > > function DetectorClean()end
>> > > =========
>> > >
>> > > --[[detection_name: antyweb3version: 1description: antyweb3 wants a
>> better description.--]]
>> > > require "DetectorCommon"local DC = DetectorCommon
>> > > local proto = DC.ipproto.tcp;DetectorPackageInfo = {        name =
>> "antyweb3",        proto = proto,        server = {                init =
>> 'DetectorInit',                clean = 'DetectorClean',
>> minimum_matches = 1        }}
>> > > function DetectorInit(detectorInstance)
>> > >         gDetector = detectorInstance;        gAppId =
>> gDetector:open_createApp("antyweb3");
>> > >         if gDetector.addAppUrl then
>> gDetector:addAppUrl(0, 0, 0, gAppId, 0, "antyweb.pl", "/", "http:", "",
>> gAppId);        end
>> > >         return gDetector;end
>> > > function DetectorClean()end
>> > > =======
>> > > appid log:<ll.png>
>> > > Any advice would be appreciated, Thanks.
>> > >
>> ------------------------------------------------------------------------------
>> Check out the vibrant tech community on one of the world's most engaging
>> tech sites, Slashdot.org!
>> http://sdm.link/slashdot_______________________________________________ Snort-openappid
>> mailing list Snort-openappid at lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/snort-openappid  Please
>> visit http://blog.snort.org to stay current on all the latest Snort news!
>> >
>>
>>
>>
>>
>>
>> ------------------------------------------------------------------------------
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>> _______________________________________________
>> Snort-openappid mailing list
>> Snort-openappid at lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/snort-openappid
>>
>> Please visit http://blog.snort.org to stay current on all the latest
>> Snort news!
>
>
>
>
>
>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> Snort-openappid mailing list
> Snort-openappid at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-openappid
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-openappid/attachments/20170521/9f47ba1c/attachment.html>


More information about the Snort-openappid mailing list