Snort mailing list archives

(no subject)

From: Noah Dietrich <noah_dietrich () 86penny org>
Date: Sun, 26 Apr 2020 16:42:32 +0200

I've found a weird bug in Snort 3.0.1 b1, compiled from github.  When you
load the community or registered ruleset, any local rules you have that use
AppID don't work.  If you don't load the rulesets, then the rules work.
Other local rules that don't use OpenAppID work just fine, it's just the
rules that use AppID don't alert.

I have a *local.rules* file with the following two alerts:
alert tcp any any -> any any ( msg:"Facebook Detected";
appids:"Facebook";sid:10000001; )
alert icmp any any -> any any (msg:"ICMP Traffic Detected";sid:10000002;)

when I run snort with only these two rules, they work fine(both facebook
and ICMP generate alerts):
sudo snort -c /usr/local/etc/snort/snort.lua -R
/usr/local/etc/rules/local.rules -i ens160 -A alert_fast -s 65535 -k none

If I also include the registered ruleset (by using the snort.lua file that
came with the ruleset) along with my local.rules, the ICMP rule still
generates alerts, but the facebook rule using AppID doesn't generate any
alerts.

Attached are the two snort.lua files i used to show this error.  snort2.lua
doesn't have the ruleset rules enabled and works fine. snort.lua has the
ruleset rules enabled, and doesn't generate any AppID alerts. I'm running
snort using the same command line options (excpet for the different config
file path)

i'm also logging appid stats, and i can see that appid is seeing facebook
traffic, even when alerts aren't generating:
1587910819,__unknown,3786,7580
1587910819,DNS,279,339
1587910819,Facebook,4951,90222
1587910819,NetBIOS-dgm,450,0
1587910819,NetBIOS-ns,736,0
1587910819,HTTPS,4951,90222
1587910819,SSL client,4951,90222

I'm running the latest snort (3.0.1 b2 from github, on Ubuntu 20 x64) and
the latest OpenAppID detectors (https://snort.org/downloads/openappid/12159)

noah@snort3:~/snort_src$ snort -V

   ,,_     -*> Snort++ <*-
  o"  )~   Version 3.0.1 (Build 2)
   ''''    By Martin Roesch & The Snort Team
           http://snort.org/contact#team
           Copyright (C) 2014-2020 Cisco and/or its affiliates. All rights
reserved.
           Copyright (C) 1998-2013 Sourcefire, Inc., et al.
           Using DAQ version 3.0.0
           Using LuaJIT version 2.1.0-beta3
           Using OpenSSL 1.1.1f  31 Mar 2020
           Using libpcap version 1.9.1 (with TPACKET_V3)
           Using PCRE version 8.43 2019-02-23
           Using ZLIB version 1.2.11
           Using FlatBuffers 1.12.0
           Using Hyperscan version 5.2.1 2020-04-25
           Using LZMA version 5.2.4

let me know if you need anything else.
thanks
Noah

Attachment: snort2.lua
Description:

Attachment: snort.lua
Description:

_______________________________________________
Snort-devel mailing list
Snort-devel () lists snort org
https://lists.snort.org/mailman/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!

Current thread:

(no subject) Boroboro Yokotero via Snort-sigs (Apr 01)
- <Possible follow-ups>
- (no subject) Noah Dietrich (Apr 26)
  - Re: (no subject) Russ Combs (rucombs) via Snort-devel (Apr 26)