[Snort-openappid] OpenAppID custom detector

Costas Kleopa (ckleopa) ckleopa at cisco.com
Wed Apr 25 13:29:06 EDT 2018


Deivison,

Thank you for your request. There seems to be a bug from the script that generates the .lua files.

The correct function should have been addPortPatternService instead of addPortPatternServer. We plan to update the script to fix this in a future update.

Also from your sample, you had:   gDetector:addPortPatternServer(proto,212,"8",56, gAppId); which is looking for “8” in the 56th byte/offset.
Based on your pcap this does not exist.

A better example is using this:

                                gDetector:addPortPatternService(proto,212,"\004\219\000\000",0, gAppId);

which is the decimal value of the 1st 4 bytes bytes from the server’s side data at offset 0.

Attached is a cleaned up version of your pcap, with bad checksums fixed, filtered with the traffic of that port number, and the new .lua file we tested this working.

Thanks
Costas

From: Deivison Xavier <deivisonvx at gmail.com>
Date: Monday, April 23, 2018 at 11:51 PM
To: "Costas Kleopa (ckleopa)" <ckleopa at cisco.com>
Cc: Y M <snort at outlook.com>, "snort-openappid at lists.snort.org" <snort-openappid at lists.snort.org>
Subject: Re: [Snort-openappid] OpenAppID custom detector

Follow the generated .lua file and capture packages using wireshark.
More information of the application:
IP: 200.189.97.13
Door: 212
Protocol: TCP

Thank you for your help!

2018-04-23 21:49 GMT-03:00 Costas Kleopa (ckleopa) <ckleopa at cisco.com<mailto:ckleopa at cisco.com>>:
Could you share a small sample Pcaps and the lua script you generated for us to see what the issue is?
Thanks,
Costas

On Apr 23, 2018, at 3:47 PM, Deivison Xavier via Snort-openappid <snort-openappid at lists.snort.org<mailto:snort-openappid at lists.snort.org>> wrote:
I forgot to mention, I already used the tool, I can generate the .lua file. But in the log processing only appears as "unknown", the defined name appears.

2018-04-23 15:39 GMT-03:00 Y M via Snort-openappid <snort-openappid at lists.snort.org<mailto:snort-openappid at lists.snort.org>>:
You can use the “appid_detector_builder.sh” tool that comes with Snort’s tarball in the bin directory.

YM
________________________________
From: Snort-openappid <snort-openappid-bounces at lists.snort.org<mailto:snort-openappid-bounces at lists.snort.org>> on behalf of Deivison Xavier via Snort-openappid <snort-openappid at lists.snort.org<mailto:snort-openappid at lists.snort.org>>
Sent: Monday, April 23, 2018 9:36:04 PM
To: snort-openappid at lists.snort.org<mailto:snort-openappid at lists.snort.org>
Subject: [Snort-openappid] OpenAppID custom detector

Hello,

I am doing a college work on OpenAppID (Snort 2.9.9.11/Ubuntu16<http://2.9.9.11/Ubuntu16>). I'm having trouble creating a detector for a third-party application. I read OpenDetectorDeveloperGuide3.0n (https://www.snort.org/downloads/openappid/6328), but it was not clear how to customize a detector. Someone with knowledge about the subject?

--
Att,
Deivison Xavier

_______________________________________________
Snort-openappid mailing list
Snort-openappid at lists.snort.org<mailto:Snort-openappid at lists.snort.org>
https://lists.snort.org/mailman/listinfo/snort-openappid

Please visit http://blog.snort.org to stay current on all the latest Snort news!



--
Att,
Deivison Xavier
_______________________________________________
Snort-openappid mailing list
Snort-openappid at lists.snort.org<mailto:Snort-openappid at lists.snort.org>
https://lists.snort.org/mailman/listinfo/snort-openappid

Please visit http://blog.snort.org to stay current on all the latest Snort news!



--
Att,
Deivison Xavier
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-openappid/attachments/20180425/adb3fd2d/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Mira.lua
Type: application/octet-stream
Size: 586 bytes
Desc: Mira.lua
URL: <https://lists.snort.org/pipermail/snort-openappid/attachments/20180425/adb3fd2d/attachment-0002.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: mira.pcap
Type: application/octet-stream
Size: 91911 bytes
Desc: mira.pcap
URL: <https://lists.snort.org/pipermail/snort-openappid/attachments/20180425/adb3fd2d/attachment-0003.obj>


More information about the Snort-openappid mailing list