[Snort-users] snort3 : appid problem

Al Lewis (allewi) allewi at cisco.com
Wed Oct 31 12:37:20 EDT 2018


I used the default config and appid download. Its alerted without issue for me.


Albert Lewis
ENGINEER.SOFTWARE ENGINEERING
Cisco Systems Inc.
Email: allewi at cisco.com<mailto:allewi at cisco.com>


From: Meridoff <oagvozd at gmail.com>
Date: Wednesday, October 31, 2018 at 12:04 PM
To: "Al Lewis (allewi)" <allewi at cisco.com>, "Snort-users at lists.snort.org" <Snort-users at lists.snort.org>
Subject: Re: [Snort-users] snort3 : appid problem

I've debugged that p->flow is NULL, so packet is ignored in  AppIdInspector::eval()

Why my packet flow is NULL ? I mean member "Flow flow" of Packet class
May be something absent in my config ?

My rule is: alert tcp any any -> any any ( gid:8000; appids:"Jabber"; msg:"appid"; sid:12345678;  )



пн, 22 окт. 2018 г. в 4:03, Al Lewis (allewi) <allewi at cisco.com<mailto:allewi at cisco.com>>:
Tested locally and it works…


[speaker at speaker snort3-FROM-GIT]$ ./bin/snort -c etc/snort/snort.lua -R etc/snort/rules.txt -r jabber.pcap -Acmg -k none -q | more
12/10-04:55:05.799396 [**] [1:12345678:0] "Jabber" [**] [Priority: 0] [AppID: Jabber] {TCP} 192.168.21.111:53918<http://192.168.21.111:53918> -> 192.168.10.22:5222<http://192.168.10.22:5222>
B4:99:BA:E4:D7:48 -> 4C:4E:35:EB:2D:CB type:0x800 len:0xD6
192.168.21.111:53918<http://192.168.21.111:53918> -> 192.168.10.22:5222<http://192.168.10.22:5222> TCP TTL:128 TOS:0x0 ID:14932 IpLen:20 DgmLen:200 DF
***AP*** Seq: 0xD32CAB47  Ack: 0x82741A88  Win: 0x102  TcpLen: 20

snort.raw[160]:
- - - - - - - - - - - -  - - - - - - - - - - - -  - - - - - - - - -
3C 3F 78 6D 6C 20 76 65  72 73 69 6F 6E 3D 27 31  <?xml ve rsion='1
2E 30 27 20 3F 3E 3C 73  74 72 65 61 6D 3A 73 74  .0' ?><s tream:st
72 65 61 6D 20 74 6F 3D  27 75 63 64 65 6D 6F 2E  ream to= 'ucdemo.
63 69 73 63 6F 2E 6C 6F  63 61 6C 27 20 78 6D 6C  cisco.lo cal' xml
6E 73 3D 27 6A 61 62 62  65 72 3A 63 6C 69 65 6E  ns='jabb er:clien
74 27 20 78 6D 6C 6E 73  3A 73 74 72 65 61 6D 3D  t' xmlns :stream=
27 68 74 74 70 3A 2F 2F  65 74 68 65 72 78 2E 6A  'http:// etherx.j
61 62 62 65 72 2E 6F 72  67 2F 73 74 72 65 61 6D  abber.or g/stream
73 27 20 20 78 6D 6C 3A  6C 61 6E 67 3D 27 65 6E  s'  xml: lang='en
27 20 76 65 72 73 69 6F  6E 3D 27 31 2E 30 27 3E  ' versio n='1.0'>
- - - - - - - - - - - -  - - - - - - - - - - - -  - - - - - - - - -


Also.. Is there a reason that you don’t have a message in your rule?

The rule I used is:

alert tcp any any -> any any ( msg:"Jabber"; sid:12345678; appids:"Jabber";)




Albert Lewis
ENGINEER.SOFTWARE ENGINEERING
Cisco Systems Inc.
Email: allewi at cisco.com<mailto:allewi at cisco.com>


From: "Al Lewis (allewi)" <allewi at cisco.com<mailto:allewi at cisco.com>>
Date: Sunday, October 21, 2018 at 2:02 PM
To: Meridoff <oagvozd at gmail.com<mailto:oagvozd at gmail.com>>, "Snort-users at lists.snort.org<mailto:Snort-users at lists.snort.org>" <Snort-users at lists.snort.org<mailto:Snort-users at lists.snort.org>>
Subject: Re: [Snort-users] snort3 : appid problem

Hello,

Do you have a pcap of the traffic being used that you can share for testing?


Albert Lewis
ENGINEER.SOFTWARE ENGINEERING
Cisco Systems Inc.
Email: allewi at cisco.com<mailto:allewi at cisco.com>


From: Snort-users <snort-users-bounces at lists.snort.org<mailto:snort-users-bounces at lists.snort.org>> on behalf of Meridoff via Snort-users <Snort-users at lists.snort.org<mailto:Snort-users at lists.snort.org>>
Reply-To: Meridoff <oagvozd at gmail.com<mailto:oagvozd at gmail.com>>
Date: Friday, October 19, 2018 at 2:23 PM
To: "Snort-users at lists.snort.org<mailto:Snort-users at lists.snort.org>" <Snort-users at lists.snort.org<mailto:Snort-users at lists.snort.org>>
Subject: [Snort-users] snort3 : appid problem

Hello, i've turned on inspector appids and configured all that needs for appid (open app id dir and so on).

Annd I have manual rule with appids keyword:
drop tcp any any -> any any (sid:12345678; appids:"Jabber";)

Then try to register jabber user - Jabber traffic goes through interface on witch snort listens, but nothing happens - nothing blocked and no alerts logged into log files.


What is the example for using appids and what are the requirements for appids to work?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20181031/84535e13/attachment.html>


More information about the Snort-users mailing list