Snort mailing list archives
Re: snort3: problem with metadata: service http in sample.rules
From: "Al Lewis (allewi)" <allewi () cisco com>
Date: Sun, 5 Mar 2017 13:46:25 +0000
Marcin, Snort2.x rules are not compatible with snort3. You need to use snort2lua to convert snort2.x files. If I use the service tag with the rules you sent before I still get alerts. ALLEWI-M-8257:marcin-issue allewi$ ./bin/snort -c etc/snort/marcin.lua --plugin-path=/var/tmp/marcin-issue/lib/snort_extra/codecs -r ~/Downloads/marcin-sent.pcap -A fast -q 02/26-08:19:45.017007 [**] [1:4000003:0] "LOCAL http_method test for GET" [**] [Priority: 0] {TCP} 192.168.17.20:34616 -> 192.168.17.30:80 02/26-08:19:45.017007 [**] [1:3000002:0] "test" [**] [Priority: 0] {TCP} 192.168.17.20:34616 -> 192.168.17.30:80 02/26-08:19:45.017007 [**] [1:3000001:0] "test" [**] [Priority: 0] {TCP} 192.168.17.20:34616 -> 192.168.17.30:80 02/26-08:19:45.017007 [**] [1:4000002:0] "LOCAL http_method test for GET" [**] [Priority: 0] {TCP} 192.168.17.20:34616 -> 192.168.17.30:80 02/26-08:19:45.034962 [**] [1:4000002:0] "LOCAL http_method test for GET" [**] [Priority: 0] {TCP} 192.168.17.30:80 -> 192.168.17.20:34616 02/26-08:19:45.034962 [**] [1:4000001:0] "LOCAL http_method test for GET" [**] [Priority: 0] {TCP} 192.168.17.30:80 -> 192.168.17.20:34616 ALLEWI-M-8257:marcin-issue allewi$ cat etc/snort/marcin.lua | grep metadata alert tcp any any -> any 80 (msg:"test"; flow:to_server,established; http_uri; metadata:service http; content:"/test"; sid:3000001;) alert tcp any any -> any 80 (msg:"test"; http_uri; metadata:service http; content:"/test"; sid:3000002;) alert tcp any any -> any 80 (msg:"LOCAL http_method test for GET"; http_method; content: "GET"; metadata:service http; sid:4000001;) alert tcp any any -> any 80 (msg:"LOCAL http_method test for GET"; http_method; metadata:service http; sid:4000002;) alert tcp any any -> any 80 (msg:"LOCAL http_method test for GET"; content: "GET"; metadata:service http; sid:4000003;) You can try sending the conf file and pcap directly if possible. Thanks. Albert Lewis ENGINEER.SOFTWARE ENGINEERING SOURCEfire, Inc. now part of Cisco Email: allewi () cisco com On 3/4/17, 5:09 PM, "Marcin Dulak" <marcin.dulak () gmail com> wrote:
Hi, this is a follow up to http://seclists.org/snort/2017/q1/593 Using --plugin-path /usr/lib64/snort_extra/codecs alone is not enough to get http traffic detected, if snort3 sample.rules are present. The service option present in metadata in https://github.com/snortadmin/snort3/blob/89bae69d5cd980ae56ef0322b6ef7cca87a75cf2/lua/sample.rules seems to cause http to be undetected. To reproduce the problem: # cat /etc/yum.repos.d/copr-marcindulak-snort.repo [copr-marcindulak-snort] name=copr-marcindulak-snort baseurl= https://copr-be.cloud.fedoraproject.org/results/marcindulak/snort/epel-$releasever-$basearch enabled=1 gpgcheck=1 gpgkey= https://copr-be.cloud.fedoraproject.org/results/marcindulak/snort/pubkey.gpg # yum -y install snort snort-extra # cp -f /etc/snort/sample.rules /etc/snort/rules/snort.rules # echo 'alert tcp any any -> any 80 (msg:"test"; flow:to_server,established; http_uri; content:"/test"; sid:3000001;)' >> /etc/snort/rules/snort.rules # SNORT_LUA_PATH=/etc/snort LUA_PATH=/usr/include/snort/lua/?.lua snort --daq-dir /usr/lib64/daq -c /etc/snort/snort.lua --plugin-path /usr/lib64/snort_extra/codecs -R /etc/snort/rules/snort.rules -r test.txt -A alert_fast -q # sed -i 's/service http//' /etc/snort/rules/snort.rules # sed -i 's/,,/,/' /etc/snort/rules/snort.rules # sed -i 's/:,/:/' /etc/snort/rules/snort.rules # SNORT_LUA_PATH=/etc/snort LUA_PATH=/usr/include/snort/lua/?.lua snort --daq-dir /usr/lib64/daq -c /etc/snort/snort.lua --plugin-path /usr/lib64/snort_extra/codecs -R /etc/snort/rules/snort.rules -r test.txt -A alert_fast -q 02/26-13:19:45.017007 [**] [1:3000001:0] "test" [**] [Priority: 0] {TCP} 192.168.17.20:34616 -> 192.168.17.30:80 By the way most snort3 rules are incompatible with snort2 ( https://github.com/snortadmin/snort3/blob/master/doc/differences.txt). I tried to use pulledpork's modifysig to convert community-rules.tar.gz into a snort3 format, but that's not a reliable way. How are you planning to transition into snort3 rules? By implementing snort3 rules support in snort2? I noticed also that some type of attachments are stripped when posting on snort-users. I'm attaching test.txt (pcap), but no guarantee it will be available on the list. Cheers, Marcin
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- snort3: problem with metadata: service http in sample.rules Marcin Dulak (Mar 04)
- Re: snort3: problem with metadata: service http in sample.rules Al Lewis (allewi) (Mar 05)
- Re: snort3: problem with metadata: service http in sample.rules Russ (Mar 05)
- Re: snort3: problem with metadata: service http in sample.rules Marcin Dulak (Mar 05)