Re: snort3: problem with metadata: service http in sample.rules

[Russ <rucombs () cisco com>]

On 3/4/17 5:09 PM, Marcin Dulak wrote:
> Hi,
>
> this is a follow up to http://seclists.org/snort/2017/q1/593
To make it clear for others, that problem is due to mixing the old HTTP 
inspector and friends (rule options) with the new one.  We are phasing 
out the old one before the beta release (it was retained for certain 
testing scenarios).

To avoid that problem delete the old library 
(install/lib/snort_extra/inspectors//http_server.so) or use 
--plugin-path install/lib/snort_extra/codecs/ so you just pick up the 
external codec(s) you need.
> Using  --plugin-path /usr/lib64/snort_extra/codecs alone is not enough to
> get http traffic detected,
> if snort3 sample.rules are present.
This is a different issue; see below.
> The service option present in metadata in
> https://github.com/snortadmin/snort3/blob/89bae69d5cd980ae56ef0322b6ef7cca87a75cf2/lua/sample.rules
> seems to cause
> http to be undetected. To reproduce the problem:
>
> # cat /etc/yum.repos.d/copr-marcindulak-snort.repo
> [copr-marcindulak-snort]
> name=copr-marcindulak-snort
> baseurl=
> https://copr-be.cloud.fedoraproject.org/results/marcindulak/snort/epel-$releasever-$basearch
> enabled=1
> gpgcheck=1
> gpgkey=
> https://copr-be.cloud.fedoraproject.org/results/marcindulak/snort/pubkey.gpg
>
> # yum -y install snort snort-extra
>
> # cp -f /etc/snort/sample.rules /etc/snort/rules/snort.rules
> # echo 'alert tcp any any -> any 80 (msg:"test";
> flow:to_server,established; http_uri; content:"/test"; sid:3000001;)' >>
> /etc/snort/rules/snort.rules
This rule does not have service.  Instead of deleting service from all 
the sample rules, add service to this rule in one of the following ways:

alert tcp any any -> any 80 (msg:"test"; flow:to_server,established; http_uri; content:"/test"; metadata:service http; 
sid:3000001;)

alert http any any -> any 80 (msg:"test"; flow:to_server,established; http_uri; content:"/test"; sid:3000001;)

With that I get (using -A csv):

02/26-08:19:45.017007, 5, TCP, stream_tcp, 57, C2S, 192.168.17.20:34616, 
192.168.17.30:80, 1:3000001:0, allow

stream_tcp indicates that this alert is firing on a PDU or PDU buffer, 
not on a raw packet.  If no service rules exist, then the rules will be 
evaluated against PDUs.  With service and non-service rules, non-service 
rules only work on raw packets.  This distinction is important to 
improve performance and reduce false positives.

Key takeaway:  always indicate service in rules that have service 
buffers like http_uri.
> # SNORT_LUA_PATH=/etc/snort LUA_PATH=/usr/include/snort/lua/?.lua snort
> --daq-dir /usr/lib64/daq -c /etc/snort/snort.lua --plugin-path
> /usr/lib64/snort_extra/codecs -R /etc/snort/rules/snort.rules -r test.txt
> -A alert_fast -q
>
> # sed -i 's/service http//' /etc/snort/rules/snort.rules
> # sed -i 's/,,/,/' /etc/snort/rules/snort.rules
> # sed -i 's/:,/:/' /etc/snort/rules/snort.rules
>
> # SNORT_LUA_PATH=/etc/snort LUA_PATH=/usr/include/snort/lua/?.lua snort
> --daq-dir /usr/lib64/daq -c /etc/snort/snort.lua --plugin-path
> /usr/lib64/snort_extra/codecs -R /etc/snort/rules/snort.rules -r test.txt
> -A alert_fast -q
> 02/26-13:19:45.017007 [**] [1:3000001:0] "test" [**] [Priority: 0] {TCP}
> 192.168.17.20:34616 -> 192.168.17.30:80
>
> By the way most snort3 rules are incompatible with snort2 (
> https://github.com/snortadmin/snort3/blob/master/doc/differences.txt).
> I tried to use pulledpork's modifysig to convert community-rules.tar.gz
> into a snort3 format, but that's not a reliable way.
You should use snort2lua to convert rules files from 2.X to 3.0 format.  
Don't let the name fool you, it converts confs and/or rules.
> How are you planning to transition into snort3 rules? By implementing
> snort3 rules support in snort2?
At first 2.X rules will be translated with snort2lua.  I'll defer any 
further input to Talos.
> I noticed also that some type of attachments are stripped when posting on
> snort-users.
> I'm attaching test.txt (pcap), but no guarantee it will be available on the
> list.
>
> Cheers,
>
> Marcin
>
>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
>
>
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!