[Snort-openappid] OpenAppID custom detector

Deivison Xavier deivisonvx at gmail.com
Wed May 2 21:15:17 EDT 2018


Hello, I'm sorry for the delay in answering.

It worked perfectly now, dectetando correctly the application. I also
understood the explanation about the byte / offset. Thank you!

2018-04-25 14:29 GMT-03:00 Costas Kleopa (ckleopa) <ckleopa at cisco.com>:

> Deivison,
>
>
>
> Thank you for your request. There seems to be a bug from the script that
> generates the .lua files.
>
>
>
> The correct function should have been addPortPatternService instead of
> addPortPatternServer. We plan to update the script to fix this in a future
> update.
>
>
>
> Also from your sample, you had:   gDetector:addPortPatternServer(proto,212,"8",56,
> gAppId); which is looking for “8” in the 56th byte/offset.
>
> Based on your pcap this does not exist.
>
>
>
> A better example is using this:
>
>
>
>                                 gDetector:addPortPatternService(proto,212,"\004\219\000\000",0,
> gAppId);
>
>
>
> which is the decimal value of the 1st 4 bytes bytes from the server’s
> side data at offset 0.
>
>
>
> Attached is a cleaned up version of your pcap, with bad checksums fixed,
> filtered with the traffic of that port number, and the new .lua file we
> tested this working.
>
>
>
> Thanks
>
> Costas
>
>
>
> *From: *Deivison Xavier <deivisonvx at gmail.com>
> *Date: *Monday, April 23, 2018 at 11:51 PM
> *To: *"Costas Kleopa (ckleopa)" <ckleopa at cisco.com>
> *Cc: *Y M <snort at outlook.com>, "snort-openappid at lists.snort.org" <
> snort-openappid at lists.snort.org>
> *Subject: *Re: [Snort-openappid] OpenAppID custom detector
>
>
>
> Follow the generated .lua file and capture packages using wireshark.
>
> More information of the application:
> IP: 200.189.97.13
> Door: 212
> Protocol: TCP
>
> Thank you for your help!
>
>
>
> 2018-04-23 21:49 GMT-03:00 Costas Kleopa (ckleopa) <ckleopa at cisco.com>:
>
> Could you share a small sample Pcaps and the lua script you generated for
> us to see what the issue is?
>
> Thanks,
>
> Costas
>
>
> On Apr 23, 2018, at 3:47 PM, Deivison Xavier via Snort-openappid <
> snort-openappid at lists.snort.org> wrote:
>
> I forgot to mention, I already used the tool, I can generate the .lua
> file. But in the log processing only appears as "unknown", the defined name
> appears.
>
>
>
> 2018-04-23 15:39 GMT-03:00 Y M via Snort-openappid <
> snort-openappid at lists.snort.org>:
>
> You can use the “appid_detector_builder.sh” tool that comes with Snort’s
> tarball in the bin directory.
>
>
>
> YM
> ------------------------------
>
> *From:* Snort-openappid <snort-openappid-bounces at lists.snort.org> on
> behalf of Deivison Xavier via Snort-openappid <
> snort-openappid at lists.snort.org>
> *Sent:* Monday, April 23, 2018 9:36:04 PM
> *To:* snort-openappid at lists.snort.org
> *Subject:* [Snort-openappid] OpenAppID custom detector
>
>
>
> Hello,
>
> I am doing a college work on OpenAppID (Snort 2.9.9.11/Ubuntu16). I'm
> having trouble creating a detector for a third-party application. I read
> OpenDetectorDeveloperGuide3.0n (https://www.snort.org/
> downloads/openappid/6328), but it was not clear how to customize a
> detector. Someone with knowledge about the subject?
>
> --
>
> *Att,*
>
> *Deivison Xavier*
>
>
> _______________________________________________
> Snort-openappid mailing list
> Snort-openappid at lists.snort.org
> https://lists.snort.org/mailman/listinfo/snort-openappid
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
>
>
>
> --
>
> *Att,*
>
> *Deivison Xavier*
>
> _______________________________________________
> Snort-openappid mailing list
> Snort-openappid at lists.snort.org
> https://lists.snort.org/mailman/listinfo/snort-openappid
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
>
>
>
> --
>
> *Att,*
>
> *Deivison Xavier*
>



-- 


*Att,*
*Deivison Xavier*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-openappid/attachments/20180502/bc01effd/attachment.html>


More information about the Snort-openappid mailing list