Snort mailing list archives
Re: snort3: problem with metadata: service http in sample.rules
From: Russ <rucombs () cisco com>
Date: Sun, 5 Mar 2017 09:05:09 -0500
On 3/4/17 5:09 PM, Marcin Dulak wrote:
Hi, this is a follow up to http://seclists.org/snort/2017/q1/593
To make it clear for others, that problem is due to mixing the old HTTP inspector and friends (rule options) with the new one. We are phasing out the old one before the beta release (it was retained for certain testing scenarios). To avoid that problem delete the old library (install/lib/snort_extra/inspectors//http_server.so) or use --plugin-path install/lib/snort_extra/codecs/ so you just pick up the external codec(s) you need.
Using --plugin-path /usr/lib64/snort_extra/codecs alone is not enough to get http traffic detected, if snort3 sample.rules are present.
This is a different issue; see below.
The service option present in metadata in https://github.com/snortadmin/snort3/blob/89bae69d5cd980ae56ef0322b6ef7cca87a75cf2/lua/sample.rules seems to cause http to be undetected. To reproduce the problem: # cat /etc/yum.repos.d/copr-marcindulak-snort.repo [copr-marcindulak-snort] name=copr-marcindulak-snort baseurl= https://copr-be.cloud.fedoraproject.org/results/marcindulak/snort/epel-$releasever-$basearch enabled=1 gpgcheck=1 gpgkey= https://copr-be.cloud.fedoraproject.org/results/marcindulak/snort/pubkey.gpg # yum -y install snort snort-extra # cp -f /etc/snort/sample.rules /etc/snort/rules/snort.rules # echo 'alert tcp any any -> any 80 (msg:"test"; flow:to_server,established; http_uri; content:"/test"; sid:3000001;)' >> /etc/snort/rules/snort.rules
This rule does not have service. Instead of deleting service from all the sample rules, add service to this rule in one of the following ways: alert tcp any any -> any 80 (msg:"test"; flow:to_server,established; http_uri; content:"/test"; metadata:service http; sid:3000001;) alert http any any -> any 80 (msg:"test"; flow:to_server,established; http_uri; content:"/test"; sid:3000001;) With that I get (using -A csv): 02/26-08:19:45.017007, 5, TCP, stream_tcp, 57, C2S, 192.168.17.20:34616, 192.168.17.30:80, 1:3000001:0, allow stream_tcp indicates that this alert is firing on a PDU or PDU buffer, not on a raw packet. If no service rules exist, then the rules will be evaluated against PDUs. With service and non-service rules, non-service rules only work on raw packets. This distinction is important to improve performance and reduce false positives. Key takeaway: always indicate service in rules that have service buffers like http_uri.
# SNORT_LUA_PATH=/etc/snort LUA_PATH=/usr/include/snort/lua/?.lua snort --daq-dir /usr/lib64/daq -c /etc/snort/snort.lua --plugin-path /usr/lib64/snort_extra/codecs -R /etc/snort/rules/snort.rules -r test.txt -A alert_fast -q # sed -i 's/service http//' /etc/snort/rules/snort.rules # sed -i 's/,,/,/' /etc/snort/rules/snort.rules # sed -i 's/:,/:/' /etc/snort/rules/snort.rules # SNORT_LUA_PATH=/etc/snort LUA_PATH=/usr/include/snort/lua/?.lua snort --daq-dir /usr/lib64/daq -c /etc/snort/snort.lua --plugin-path /usr/lib64/snort_extra/codecs -R /etc/snort/rules/snort.rules -r test.txt -A alert_fast -q 02/26-13:19:45.017007 [**] [1:3000001:0] "test" [**] [Priority: 0] {TCP} 192.168.17.20:34616 -> 192.168.17.30:80 By the way most snort3 rules are incompatible with snort2 ( https://github.com/snortadmin/snort3/blob/master/doc/differences.txt). I tried to use pulledpork's modifysig to convert community-rules.tar.gz into a snort3 format, but that's not a reliable way.
You should use snort2lua to convert rules files from 2.X to 3.0 format. Don't let the name fool you, it converts confs and/or rules.
How are you planning to transition into snort3 rules? By implementing snort3 rules support in snort2?
At first 2.X rules will be translated with snort2lua. I'll defer any further input to Talos.
I noticed also that some type of attachments are stripped when posting on snort-users. I'm attaching test.txt (pcap), but no guarantee it will be available on the list. Cheers, Marcin ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- snort3: problem with metadata: service http in sample.rules Marcin Dulak (Mar 04)
- Re: snort3: problem with metadata: service http in sample.rules Al Lewis (allewi) (Mar 05)
- Re: snort3: problem with metadata: service http in sample.rules Russ (Mar 05)
- Re: snort3: problem with metadata: service http in sample.rules Marcin Dulak (Mar 05)