Snort mailing list archives
Re: [SUSPICIOUS] Re: Snort3: binder and wizard inspectors
From: Meridoff via Snort-users <snort-users () lists snort org>
Date: Tue, 6 Nov 2018 17:46:37 +0300
Ok, Thanks! It whould be great вт, 6 нояб. 2018 г. в 17:39, Russ via Snort-users < snort-users () lists snort org>:
We will add the ability to show services, probably with --help-module and --list-services. On 11/6/18 6:31 AM, Meridoff via Snort-users wrote: вт, 6 нояб. 2018 г. в 14:21, Meridoff <oagvozd () gmail com>:I пн, 5 нояб. 2018 г. в 19:54, Carter Waxman (cwaxman) <cwaxman () cisco com>:The full list for your install can be found with: snort --plugin-path=/usr/local/lib/snort/ --help-plugins | grep ^inspector Replace /usr/local/lib/snort with the install paths you have and note that --plugin-path must come before --help-plugins.It shows only inspector names. But I need all possible 'service's names to use in binder {}. For example, for FTP: inspector::ftp_client: FTP inspector client module inspector::ftp_data: FTP data channel handler inspector::ftp_server: FTP inspector server module But where is service named 'ftp' or 'ftp-data' ? Which is used in binder: { when = { service = 'ftp' }, use = { type = 'ftp_server' } }, { when = { service = 'ftp-data' }, use = { type = 'ftp_data' } },As I can see these services' names are hardcoded in InspectorApis and only one method to get them is to look into default binder {} table in default snort.lua .-Carter *From: *Snort-users <snort-users-bounces () lists snort org> on behalf of Meridoff via Snort-users <Snort-users () lists snort org> *Reply-To: *Meridoff <oagvozd () gmail com> *Date: *Sunday, November 4, 2018 at 12:08 AM *To: *"Russ Combs (rucombs)" <rucombs () cisco com> *Cc: *"snort-users () lists snort org" <Snort-users () lists snort org> *Subject: *[SUSPICIOUS] Re: [Snort-users] Snort3: binder and wizard inspectors Thanks a lot ! Many things became more clear. And final question is : where I can get supported services (their names) and/or services names supoorted for each inspector ? I can look into snort.lua/defaults.lua files but may be exists other way. Their names almost always identical, but some differs: 'ftp_server' inspector and 'ftp' service and some others.. вс, 4 нояб. 2018 г. в 1:36, Russ via Snort-users < snort-users () lists snort org>: See below. Russ On 11/2/18 7:16 PM, Meridoff via Snort-users wrote: Hello, it's very brief info in manual about using wizard and binder. I have some questions concerning the most common use of them. 1. Binder and wizard has "first match wins" logic in their config ? Binder has first match wins logic for each of the things it looks for (stream inspector, service inspector, policy). Wizard searches for all matches in parallel, with first match wins at any given step. 2. In binder we have "when" table - the match logic and "use" table - what to do if match occure. Are the keys in when{} have AND logic? (e.g.: when.ports and when.nets etc.. must match togather if specified) Yes. 3. In binder use.type - is the inspector to use for match case. But what means when.service and use.service? As far as I understand: 3.1 we can define own 'service' in binder by { when {port=123 }, use { service = "myserv" } } You can't define services in the binder rules, you can only use existing services. 3.2 we can define own 'service' in wizard by spell/hexes tables Same thing. You can define match criteria for a service, but it only helps if an inspector supports that service. 3.3 if we have 'service' then we can use it in binder.use logic when.service, user.type is the most common case which is done in the default snort.lua. use.service allows you to map other criteria to a service, and a later rule in the current table or a sub table can can be a when.service rule. You wouldn't normally use both when.service and use.service in the same rule. 4. What meaning of binder[].use.name <http://secure-web.cisco.com/1UjID5BhZe5vKtZrb184wWri-pqav--CBs5IO1d7hBt5FQ1c5dxxDIV8gXlfo1jfwF0AHgP_mn2dP7urcER5KELE28sRgRCwKWLXf4id_Su78NFzhn8LxIRfchGZCENmgKHtW4T1XD_hjlBz16Jigp-jLYRM1MljZvwqss3RnRvldAiW8ny_Le8ix65EUULrJj9Yr1FZShQNqlunmH0kRPobSd2ZO9c503sHdME8VnZ3NOMvvIXiFhp02uEFSlTKkM-sRkzSuz8C4xkzgIrn3S_XrFBk4UzWfwn7YbT4mmf6QxVruTTcijshzu7TI4YHRg20Ov4QUatzWDdfQV70BGw/http%3A%2F%2Fuse.name> ? Where its value can be used? You can have multiple configurations for a given service. Eg: http_inspect = { } -- default http config other_http = { decompress_swf = true } -- default http with one change To use other_http as an http_inspect config, you need a binding like: { when = { service = 'http' }, use = { name = 'other_http', type = 'http_inspect' } You would typically have other when criteria to distinguish this a binding for other_http from the default. 5.So binder{} is evaluated 1st to identify service and 2nd to identify what inspector to use for this service or what action to do (reset|block...). To be precise, binder does not identify service, wizard does that. 6. Wizard usually goes last in binder{} so it is used to identify service that was failed to identify by bindings in binder ? And if we can identify serivce in wizard than we look into binder 2n time to decide what to do with it - what inspector or action to use and so on.. Yes. _______________________________________________ Snort-users mailing list Snort-users () lists snort org Go to this URL to change user options or unsubscribe: https://secure-web.cisco.com/1KoAbd2Fwy0zg-XH984gao_BYzKPrjtlSPf66_tA0GcWb0IMS564h3z-ToDV8nyG3IrhDQ3y2i8iQrvAX-aMaKOP7t1kGOBZD9K9R4JFnJxsmbOVPuF5o4PlwlrI-CsoBwuG8Be4J0maimprETCD9fPTT9-tsDXk7iFpblGdlon16y1E-jHT5ZjPPDfJZ0-PLaKlEouyL23BFf5JuzUzqsZdXgDMtetCGP8IPHKZK-qdKQfIz2YAtCgwD6lU7Ilf9uje0BFWNJXW7nl4VBHpQz-fFuyWu7E4Rq0XvS1Xhs4TJwOM602CsWkEn5n0Vj0sq/https%3A%2F%2Flists.snort.org%2Fmailman%2Flistinfo%2Fsnort-users To unsubscribe, send an email to: snort-users-leave () lists snort org Please visit http://secure-web.cisco.com/172OQyn8Uj1_gl0BTtp4R0_TVY9ssUzfwExF6DpcMz8jF5Vg4C-yDakdskqQqFPajnCxrzuSWTLULrsq3s8wE00GYNpgix_1VSnHroQ7eDLEALuAbN7_6WHXY01vRr3NVh-UQJF34pSaT5dEeYDPGBWSxHXAVpZYgOACpFd1dVXYomybCpsJNLeUhCHpyWL2f3d_nbNj3WpBxhCKvYEkKBX_jL1zhFcJ86yx2vbcvnES2moVBwJga57t4aIOUMXPXMrwt7FUtz7CUVqJyktU23TDFUHVVc8fbAgMaL1L_CCgRKg6Or41O1Tm_l3Vb1ajiw0eKfXUZP1dcts0X8bGPLA/http%3A%2F%2Fblog.snort.org to stay current on all the latest Snort news! Please follow these rules: https://secure-web.cisco.com/1_RbiiCSYt2loRI3klHxAJCPKhuMDqdJGiJRLJMiTp1trDac7PZNlAlY5zLPJs95UdUKlk3o13EDmluqlS9wItlPo3RKOLY0ahBwjxetYJ7YC-HMxOeudDypS66zEanzeWRuVrOsKFs4ozr_hN8UkY26PXuU4fo7Myj0-8D_zhXPP1r-HiJFMi59p8qGpZBNljYBZXcULdz6LIClF4N_E90EbZACRRc3UIbyZgjjws-YimUDMoOuTSs3EYpWfgiFrXGJ1IvPqH2MPayq7R3Qy5W0gsSGL2PXUsSZujeckPcnpIjXTNAhzKRxg0vOefK_eMaDqikQUX9VHHQXvKxZCXQ/https%3A%2F%2Fsnort.org%2Ffaq%2Fwhat-is-the-mailing-list-etiquette _______________________________________________ Snort-users mailing list Snort-users () lists snort org Go to this URL to change user options or unsubscribe: https://secure-web.cisco.com/1KoAbd2Fwy0zg-XH984gao_BYzKPrjtlSPf66_tA0GcWb0IMS564h3z-ToDV8nyG3IrhDQ3y2i8iQrvAX-aMaKOP7t1kGOBZD9K9R4JFnJxsmbOVPuF5o4PlwlrI-CsoBwuG8Be4J0maimprETCD9fPTT9-tsDXk7iFpblGdlon16y1E-jHT5ZjPPDfJZ0-PLaKlEouyL23BFf5JuzUzqsZdXgDMtetCGP8IPHKZK-qdKQfIz2YAtCgwD6lU7Ilf9uje0BFWNJXW7nl4VBHpQz-fFuyWu7E4Rq0XvS1Xhs4TJwOM602CsWkEn5n0Vj0sq/https%3A%2F%2Flists.snort.org%2Fmailman%2Flistinfo%2Fsnort-users To unsubscribe, send an email to: snort-users-leave () lists snort org Please visit http://secure-web.cisco.com/172OQyn8Uj1_gl0BTtp4R0_TVY9ssUzfwExF6DpcMz8jF5Vg4C-yDakdskqQqFPajnCxrzuSWTLULrsq3s8wE00GYNpgix_1VSnHroQ7eDLEALuAbN7_6WHXY01vRr3NVh-UQJF34pSaT5dEeYDPGBWSxHXAVpZYgOACpFd1dVXYomybCpsJNLeUhCHpyWL2f3d_nbNj3WpBxhCKvYEkKBX_jL1zhFcJ86yx2vbcvnES2moVBwJga57t4aIOUMXPXMrwt7FUtz7CUVqJyktU23TDFUHVVc8fbAgMaL1L_CCgRKg6Or41O1Tm_l3Vb1ajiw0eKfXUZP1dcts0X8bGPLA/http%3A%2F%2Fblog.snort.org to stay current on all the latest Snort news! Please follow these rules: https://secure-web.cisco.com/1_RbiiCSYt2loRI3klHxAJCPKhuMDqdJGiJRLJMiTp1trDac7PZNlAlY5zLPJs95UdUKlk3o13EDmluqlS9wItlPo3RKOLY0ahBwjxetYJ7YC-HMxOeudDypS66zEanzeWRuVrOsKFs4ozr_hN8UkY26PXuU4fo7Myj0-8D_zhXPP1r-HiJFMi59p8qGpZBNljYBZXcULdz6LIClF4N_E90EbZACRRc3UIbyZgjjws-YimUDMoOuTSs3EYpWfgiFrXGJ1IvPqH2MPayq7R3Qy5W0gsSGL2PXUsSZujeckPcnpIjXTNAhzKRxg0vOefK_eMaDqikQUX9VHHQXvKxZCXQ/https%3A%2F%2Fsnort.org%2Ffaq%2Fwhat-is-the-mailing-list-etiquette_______________________________________________ Snort-users mailing listSnort-users () lists snort org Go to this URL to change user options or unsubscribe:https://lists.snort.org/mailman/listinfo/snort-users To unsubscribe, send an email to: snort-users-leave () lists snort org Please visit http://blog.snort.org to stay current on all the latest Snort news! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette _______________________________________________ Snort-users mailing list Snort-users () lists snort org Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users To unsubscribe, send an email to: snort-users-leave () lists snort org Please visit http://blog.snort.org to stay current on all the latest Snort news! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
_______________________________________________ Snort-users mailing list Snort-users () lists snort org Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users To unsubscribe, send an email to: snort-users-leave () lists snort org Please visit http://blog.snort.org to stay current on all the latest Snort news! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
Current thread:
- Snort3: binder and wizard inspectors Meridoff via Snort-users (Nov 02)
- Re: Snort3: binder and wizard inspectors Russ via Snort-users (Nov 03)
- Re: Snort3: binder and wizard inspectors Meridoff via Snort-users (Nov 03)
- Re: [SUSPICIOUS] Re: Snort3: binder and wizard inspectors Carter Waxman (cwaxman) via Snort-users (Nov 05)
- Message not available
- Re: [SUSPICIOUS] Re: Snort3: binder and wizard inspectors Meridoff via Snort-users (Nov 06)
- Re: [SUSPICIOUS] Re: Snort3: binder and wizard inspectors Russ via Snort-users (Nov 06)
- Re: [SUSPICIOUS] Re: Snort3: binder and wizard inspectors Meridoff via Snort-users (Nov 06)
- Re: Snort3: binder and wizard inspectors Meridoff via Snort-users (Nov 03)
- Re: Snort3: binder and wizard inspectors Russ via Snort-users (Nov 03)