Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [SUSPICIOUS] Re: Snort3: binder and wizard inspectors

From: Meridoff via Snort-users <snort-users () lists snort org>
Date: Tue, 6 Nov 2018 17:46:37 +0300
Ok, Thanks! It whould be great

вт, 6 нояб. 2018 г. в 17:39, Russ via Snort-users <
snort-users () lists snort org>:


We will add the ability to show services, probably with --help-module and
--list-services.

On 11/6/18 6:31 AM, Meridoff via Snort-users wrote:



вт, 6 нояб. 2018 г. в 14:21, Meridoff <oagvozd () gmail com>:


I
пн, 5 нояб. 2018 г. в 19:54, Carter Waxman (cwaxman) <cwaxman () cisco com>:


The full list for your install can be found with:



snort --plugin-path=/usr/local/lib/snort/ --help-plugins | grep
^inspector



Replace /usr/local/lib/snort with the install paths you have and note
that --plugin-path must come before --help-plugins.



It shows only inspector names. But I need all possible 'service's names
to use in binder {}. For example, for FTP:
inspector::ftp_client: FTP inspector client module
inspector::ftp_data: FTP data channel handler
inspector::ftp_server: FTP inspector server module

But where is service named 'ftp'  or 'ftp-data' ? Which is used in binder:

    { when = { service = 'ftp' },              use = { type =
'ftp_server' } },
    { when = { service = 'ftp-data' },         use = { type = 'ftp_data'
} },




As I can see these services' names are hardcoded in InspectorApis and only
one method to get them is to look into default binder {}  table in default
snort.lua .















-Carter

*From: *Snort-users <snort-users-bounces () lists snort org> on behalf of
Meridoff via Snort-users <Snort-users () lists snort org>
*Reply-To: *Meridoff <oagvozd () gmail com>
*Date: *Sunday, November 4, 2018 at 12:08 AM
*To: *"Russ Combs (rucombs)" <rucombs () cisco com>
*Cc: *"snort-users () lists snort org" <Snort-users () lists snort org>
*Subject: *[SUSPICIOUS] Re: [Snort-users] Snort3: binder and wizard
inspectors



Thanks a lot ! Many things became more clear.



And final question is : where I can get supported services (their names)
and/or services names supoorted for each inspector ?

I can look into snort.lua/defaults.lua files but may be exists other
way.

Their names almost always identical, but some differs: 'ftp_server'
inspector and 'ftp' service and some others..







вс, 4 нояб. 2018 г. в 1:36, Russ via Snort-users <
snort-users () lists snort org>:

See below.
Russ

On 11/2/18 7:16 PM, Meridoff via Snort-users wrote:

Hello, it's very brief info in manual about using wizard and binder.



I have some questions concerning the most common use of them.



1. Binder and wizard has "first match wins" logic in their config ?

Binder has first match wins logic for each of the things it looks for
(stream inspector, service inspector, policy).  Wizard searches for all
matches in parallel, with first match wins at any given step.



2. In binder we have "when" table - the match logic and "use" table -
what to do  if match occure. Are the keys in when{}  have AND logic? (e.g.:
when.ports and when.nets etc.. must match togather if specified)

Yes.



3. In binder use.type - is the inspector to use for match case. But what
means when.service and use.service?

As far as I understand:

 3.1 we can define own 'service' in binder by    { when {port=123 }, use
{ service = "myserv" }  }

You can't define services in the binder rules, you can only use existing
services.

 3.2 we can define own 'service' in wizard by spell/hexes tables

Same thing.  You can define match criteria for a service, but it only
helps if an inspector supports that service.

 3.3 if we have 'service' then we can use it in binder.use logic

when.service, user.type is the most common case which is done in the
default snort.lua.  use.service allows you to map other criteria to a
service, and a later rule in the current table or a sub table can can be a
when.service rule.  You wouldn't normally use both when.service and
use.service in the same rule.



4. What meaning of binder[].use.name
<http://secure-web.cisco.com/1UjID5BhZe5vKtZrb184wWri-pqav--CBs5IO1d7hBt5FQ1c5dxxDIV8gXlfo1jfwF0AHgP_mn2dP7urcER5KELE28sRgRCwKWLXf4id_Su78NFzhn8LxIRfchGZCENmgKHtW4T1XD_hjlBz16Jigp-jLYRM1MljZvwqss3RnRvldAiW8ny_Le8ix65EUULrJj9Yr1FZShQNqlunmH0kRPobSd2ZO9c503sHdME8VnZ3NOMvvIXiFhp02uEFSlTKkM-sRkzSuz8C4xkzgIrn3S_XrFBk4UzWfwn7YbT4mmf6QxVruTTcijshzu7TI4YHRg20Ov4QUatzWDdfQV70BGw/http%3A%2F%2Fuse.name>
? Where its value can be used?

You can have multiple configurations for a given service.  Eg:

http_inspect = { }  -- default http config
other_http = { decompress_swf = true }  -- default http with one change

To use other_http as an http_inspect config, you need a binding like:

{ when = { service = 'http' }, use = { name = 'other_http', type =
'http_inspect' }

You would typically have other when criteria to distinguish this a
binding for other_http from the default.



5.So binder{} is evaluated 1st to identify service and 2nd to identify
what inspector to use for this service or what action to do
(reset|block...).

To be precise, binder does not identify service, wizard does that.



6. Wizard usually goes last in binder{} so it is used to identify
service that was failed to identify by bindings in binder ? And if we can
identify serivce in wizard than we look into binder 2n time to decide what
to do with it - what inspector or action to use and so on..

Yes.











_______________________________________________

Snort-users mailing list

Snort-users () lists snort org

Go to this URL to change user options or unsubscribe:

https://secure-web.cisco.com/1KoAbd2Fwy0zg-XH984gao_BYzKPrjtlSPf66_tA0GcWb0IMS564h3z-ToDV8nyG3IrhDQ3y2i8iQrvAX-aMaKOP7t1kGOBZD9K9R4JFnJxsmbOVPuF5o4PlwlrI-CsoBwuG8Be4J0maimprETCD9fPTT9-tsDXk7iFpblGdlon16y1E-jHT5ZjPPDfJZ0-PLaKlEouyL23BFf5JuzUzqsZdXgDMtetCGP8IPHKZK-qdKQfIz2YAtCgwD6lU7Ilf9uje0BFWNJXW7nl4VBHpQz-fFuyWu7E4Rq0XvS1Xhs4TJwOM602CsWkEn5n0Vj0sq/https%3A%2F%2Flists.snort.org%2Fmailman%2Flistinfo%2Fsnort-users



       To unsubscribe, send an email to:

       snort-users-leave () lists snort org



Please visit 
http://secure-web.cisco.com/172OQyn8Uj1_gl0BTtp4R0_TVY9ssUzfwExF6DpcMz8jF5Vg4C-yDakdskqQqFPajnCxrzuSWTLULrsq3s8wE00GYNpgix_1VSnHroQ7eDLEALuAbN7_6WHXY01vRr3NVh-UQJF34pSaT5dEeYDPGBWSxHXAVpZYgOACpFd1dVXYomybCpsJNLeUhCHpyWL2f3d_nbNj3WpBxhCKvYEkKBX_jL1zhFcJ86yx2vbcvnES2moVBwJga57t4aIOUMXPXMrwt7FUtz7CUVqJyktU23TDFUHVVc8fbAgMaL1L_CCgRKg6Or41O1Tm_l3Vb1ajiw0eKfXUZP1dcts0X8bGPLA/http%3A%2F%2Fblog.snort.org
 to stay current on all the latest Snort news!



Please follow these rules: 
https://secure-web.cisco.com/1_RbiiCSYt2loRI3klHxAJCPKhuMDqdJGiJRLJMiTp1trDac7PZNlAlY5zLPJs95UdUKlk3o13EDmluqlS9wItlPo3RKOLY0ahBwjxetYJ7YC-HMxOeudDypS66zEanzeWRuVrOsKFs4ozr_hN8UkY26PXuU4fo7Myj0-8D_zhXPP1r-HiJFMi59p8qGpZBNljYBZXcULdz6LIClF4N_E90EbZACRRc3UIbyZgjjws-YimUDMoOuTSs3EYpWfgiFrXGJ1IvPqH2MPayq7R3Qy5W0gsSGL2PXUsSZujeckPcnpIjXTNAhzKRxg0vOefK_eMaDqikQUX9VHHQXvKxZCXQ/https%3A%2F%2Fsnort.org%2Ffaq%2Fwhat-is-the-mailing-list-etiquette



_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:

https://secure-web.cisco.com/1KoAbd2Fwy0zg-XH984gao_BYzKPrjtlSPf66_tA0GcWb0IMS564h3z-ToDV8nyG3IrhDQ3y2i8iQrvAX-aMaKOP7t1kGOBZD9K9R4JFnJxsmbOVPuF5o4PlwlrI-CsoBwuG8Be4J0maimprETCD9fPTT9-tsDXk7iFpblGdlon16y1E-jHT5ZjPPDfJZ0-PLaKlEouyL23BFf5JuzUzqsZdXgDMtetCGP8IPHKZK-qdKQfIz2YAtCgwD6lU7Ilf9uje0BFWNJXW7nl4VBHpQz-fFuyWu7E4Rq0XvS1Xhs4TJwOM602CsWkEn5n0Vj0sq/https%3A%2F%2Flists.snort.org%2Fmailman%2Flistinfo%2Fsnort-users

        To unsubscribe, send an email to:
        snort-users-leave () lists snort org

Please visit
http://secure-web.cisco.com/172OQyn8Uj1_gl0BTtp4R0_TVY9ssUzfwExF6DpcMz8jF5Vg4C-yDakdskqQqFPajnCxrzuSWTLULrsq3s8wE00GYNpgix_1VSnHroQ7eDLEALuAbN7_6WHXY01vRr3NVh-UQJF34pSaT5dEeYDPGBWSxHXAVpZYgOACpFd1dVXYomybCpsJNLeUhCHpyWL2f3d_nbNj3WpBxhCKvYEkKBX_jL1zhFcJ86yx2vbcvnES2moVBwJga57t4aIOUMXPXMrwt7FUtz7CUVqJyktU23TDFUHVVc8fbAgMaL1L_CCgRKg6Or41O1Tm_l3Vb1ajiw0eKfXUZP1dcts0X8bGPLA/http%3A%2F%2Fblog.snort.org
to stay current on all the latest Snort news!

Please follow these rules:
https://secure-web.cisco.com/1_RbiiCSYt2loRI3klHxAJCPKhuMDqdJGiJRLJMiTp1trDac7PZNlAlY5zLPJs95UdUKlk3o13EDmluqlS9wItlPo3RKOLY0ahBwjxetYJ7YC-HMxOeudDypS66zEanzeWRuVrOsKFs4ozr_hN8UkY26PXuU4fo7Myj0-8D_zhXPP1r-HiJFMi59p8qGpZBNljYBZXcULdz6LIClF4N_E90EbZACRRc3UIbyZgjjws-YimUDMoOuTSs3EYpWfgiFrXGJ1IvPqH2MPayq7R3Qy5W0gsSGL2PXUsSZujeckPcnpIjXTNAhzKRxg0vOefK_eMaDqikQUX9VHHQXvKxZCXQ/https%3A%2F%2Fsnort.org%2Ffaq%2Fwhat-is-the-mailing-list-etiquette




_______________________________________________
Snort-users mailing listSnort-users () lists snort org
Go to this URL to change user options or unsubscribe:https://lists.snort.org/mailman/listinfo/snort-users

      To unsubscribe, send an email to:
      snort-users-leave () lists snort org

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette


_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

        To unsubscribe, send an email to:
        snort-users-leave () lists snort org

Please visit http://blog.snort.org to stay current on all the latest
Snort news!

Please follow these rules:
https://snort.org/faq/what-is-the-mailing-list-etiquette


_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

        To unsubscribe, send an email to:
        snort-users-leave () lists snort org

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
Previous By Date Next
Previous By Thread Next

Current thread: