![snort logo](/images/snort-logo.png)
Snort mailing list archives
(no subject)
From: Noah Dietrich <noah_dietrich () 86penny org>
Date: Sun, 26 Apr 2020 16:42:32 +0200
I've found a weird bug in Snort 3.0.1 b1, compiled from github. When you load the community or registered ruleset, any local rules you have that use AppID don't work. If you don't load the rulesets, then the rules work. Other local rules that don't use OpenAppID work just fine, it's just the rules that use AppID don't alert. I have a *local.rules* file with the following two alerts: alert tcp any any -> any any ( msg:"Facebook Detected"; appids:"Facebook";sid:10000001; ) alert icmp any any -> any any (msg:"ICMP Traffic Detected";sid:10000002;) when I run snort with only these two rules, they work fine(both facebook and ICMP generate alerts): sudo snort -c /usr/local/etc/snort/snort.lua -R /usr/local/etc/rules/local.rules -i ens160 -A alert_fast -s 65535 -k none If I also include the registered ruleset (by using the snort.lua file that came with the ruleset) along with my local.rules, the ICMP rule still generates alerts, but the facebook rule using AppID doesn't generate any alerts. Attached are the two snort.lua files i used to show this error. snort2.lua doesn't have the ruleset rules enabled and works fine. snort.lua has the ruleset rules enabled, and doesn't generate any AppID alerts. I'm running snort using the same command line options (excpet for the different config file path) i'm also logging appid stats, and i can see that appid is seeing facebook traffic, even when alerts aren't generating: 1587910819,__unknown,3786,7580 1587910819,DNS,279,339 1587910819,Facebook,4951,90222 1587910819,NetBIOS-dgm,450,0 1587910819,NetBIOS-ns,736,0 1587910819,HTTPS,4951,90222 1587910819,SSL client,4951,90222 I'm running the latest snort (3.0.1 b2 from github, on Ubuntu 20 x64) and the latest OpenAppID detectors (https://snort.org/downloads/openappid/12159) noah@snort3:~/snort_src$ snort -V ,,_ -*> Snort++ <*- o" )~ Version 3.0.1 (Build 2) '''' By Martin Roesch & The Snort Team http://snort.org/contact#team Copyright (C) 2014-2020 Cisco and/or its affiliates. All rights reserved. Copyright (C) 1998-2013 Sourcefire, Inc., et al. Using DAQ version 3.0.0 Using LuaJIT version 2.1.0-beta3 Using OpenSSL 1.1.1f 31 Mar 2020 Using libpcap version 1.9.1 (with TPACKET_V3) Using PCRE version 8.43 2019-02-23 Using ZLIB version 1.2.11 Using FlatBuffers 1.12.0 Using Hyperscan version 5.2.1 2020-04-25 Using LZMA version 5.2.4 let me know if you need anything else. thanks Noah
Attachment:
snort2.lua
Description:
Attachment:
snort.lua
Description:
_______________________________________________ Snort-devel mailing list Snort-devel () lists snort org https://lists.snort.org/mailman/listinfo/snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- (no subject) Boroboro Yokotero via Snort-sigs (Apr 01)
- <Possible follow-ups>
- (no subject) Noah Dietrich (Apr 26)
- Re: (no subject) Russ Combs (rucombs) via Snort-devel (Apr 26)