Snort mailing list archives
Re: Snort3 Appid detection problem between 3.0.1 - 3.0.2 releases
From: Özkan KIRIK via Snort-devel <snort-devel () lists snort org>
Date: Mon, 14 Sep 2020 22:19:42 +0300
Hello, I found the right way for reproduce the bug. The main bug is related with rule reload. 1st test - Start with empty ruleset, reload with 1 appid block rule: detection not works 2nd test - Start with 1 appid block rule, no reload: detection works 3rd test - Start with 1 appid block rule, reload with same rule: detection stops Finally, if snort reloaded (killall -HUP snort), appid detection stops working. All versions >= 3.0.2.1 even 3.0.2.6 are affected. Thanks, Ozkan. On Sat, Sep 5, 2020 at 1:02 PM Özkan KIRIK <ozkan.kirik () gmail com> wrote:
Hello Shravan, You can repeat the bug with this scenario: Network: [windows client] -> [snort3 inline bridge] -> [nat box] -> [internet] IPS rule: block ip any any -> any any ( msg: "block wetransfer "; appids:"wetransfer"; sid:9000001; ) config: appid = { app_detector_dir = '/usr/local/etc/snort', log_stats = true } Traffic: Open web browser on windows client and visit https://www.wetransfer.com/. Thanks, Ozkan On Fri, Sep 4, 2020 at 8:19 PM Shravan Rangarajuvenkata (shrarang) < shrarang () cisco com> wrote:Hello Ozkan, Thanks for reporting the issue! Can you please provide us the pcaps that can reproduce this issue? Regarding your question about whether you need to change any configuration, the answer is no. No extra configuration is needed. Thanks, Shravan On Sep 4, 2020, at 12:19 AM, Özkan KIRIK via Snort-devel < snort-devel () lists snort org> wrote: I'm still trying different versions to find where the bug exists. - snort3.0.1.5 - detection and block action works properly - snort3.0.2.1 - only sid 9000003 matches and blocking traffic. appid doesnt match any traffic. There is something wrong about appid detection with snort3 build >= 3.0.2.1 All the builds after 3.0.2.* have this issue. I wrote that appid_stats have lines about wetransfer but after kill & restart snort3, I couldn't reproduce wetransfer detection. tests are run with a freebsd+snort3 gateway and 1 windows client only. - snort3.0.2.1 - appid_stats.log with similar traffic # cat appid_stats.log 1599192367,DNS,3032,5497 1599192367,HTTPS,144450,2774175 1599192367,MDNS,3650,0 1599192367,ICMP,395,0 1599192367,DNS over HTTPS,5736,18574 1599192367,__unknown,25577,767 - snort3.0.1.5 - appid_stats.log with similar traffic # cat appid_stats.log 1599192609,Google,22731,201644 1599192609,Chrome,574,257 1599192609,HTTP,574,257 1599192609,NetBIOS-ns,3036,0 1599192609,HTTPS,37943,262317 1599192609,SSL client,29790,246317 1599192609,MDNS,3204,0 1599192609,WeTransfer,4886,39253 1599192609,Google Sign in,2173,5420 1599192609,DNS over HTTPS,6224,16712 1599192609,__unknown,2724,4220 On Fri, Sep 4, 2020 at 6:57 AM Özkan KIRIK <ozkan.kirik () gmail com> wrote:In addition to v3.0.2.5, appid_stats contains lines about wetransfer, facebook etc. But alert_json log don't have. I think there is a bug about rule matching for appids # grep -i wetransfer appid_stats.log 1599189911,WeTransfer,6560,3184 1599190202,WeTransfer,1951,1161 1599190803,WeTransfer,2086,6678 1599191404,WeTransfer,2086,6761 # grep -i wetransfer alert_json.txt # On Fri, Sep 4, 2020 at 6:38 AM Özkan KIRIK <ozkan.kirik () gmail com> wrote:Hello, I am using FreeBSD stable/12 branch using netmap daq configuration. snort3 is configured in inline mode with simple ruleset as below: block ip any any -> any any ( msg: "block facebook"; appids:"facebook"; sid:9000000; ) block ip any any -> any any ( msg: "block wetransfer "; appids:"wetransfer"; sid:9000001; ) block ip any any -> any any ( msg: "block youtube"; appids:"youtube"; sid:9000002; ) block icmp any any -> any any ( msg: "icmp inline test"; sid:9000003; ) After upgrading from 3.0.1 to 3.0.2 appid detection not working. same configuration with: - snort3.0.1.2 - detection and block action works properly - snort3.0.1.4 - detection and block action works properly - snort3.0.2.4 - only sid 9000003 matches and blocking traffic. appid doesnt match any traffic. - snort3.0.2.5 - only sid 9000003 matches and blocking traffic. appid doesnt match any traffic. appid = { app_detector_dir = '/usr/local/etc/snort' } rate_filter = { } stream = { } stream_ip = { } stream_icmp = { } stream_tcp = { } stream_udp = { } arp_spoof = { } back_orifice = { } dnp3 = { } dns = { } http_inspect = { } http2_inspect = { } imap = { } modbus = { } normalizer = { tcp = { ips = true } } pop = { } rpc_decode = { } sip = { } ssh = { } ssl = { } telnet = { } dce_smb = { } dce_tcp = { } dce_udp = { } dce_http_proxy = { } dce_http_server = { } In snort 3.0.2* do we need to change any configuration? Regards Özkan_______________________________________________Snort-devel mailing list Snort-devel () lists snort org https://lists.snort.org/mailman/listinfo/snort-devel Please visit http://blog.snort.org for the latest news about Snort!
_______________________________________________ Snort-devel mailing list Snort-devel () lists snort org https://lists.snort.org/mailman/listinfo/snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Snort3 Appid detection problem between 3.0.1 - 3.0.2 releases Özkan KIRIK via Snort-devel (Sep 03)
- Re: Snort3 Appid detection problem between 3.0.1 - 3.0.2 releases Özkan KIRIK via Snort-devel (Sep 03)
- Re: Snort3 Appid detection problem between 3.0.1 - 3.0.2 releases Özkan KIRIK via Snort-devel (Sep 03)
- Re: Snort3 Appid detection problem between 3.0.1 - 3.0.2 releases Shravan Rangarajuvenkata (shrarang) via Snort-devel (Sep 04)
- Re: Snort3 Appid detection problem between 3.0.1 - 3.0.2 releases Özkan KIRIK via Snort-devel (Sep 05)
- Re: Snort3 Appid detection problem between 3.0.1 - 3.0.2 releases Özkan KIRIK via Snort-devel (Sep 14)
- Re: Snort3 Appid detection problem between 3.0.1 - 3.0.2 releases Shravan Rangarajuvenkata (shrarang) via Snort-devel (Sep 23)
- Re: Snort3 Appid detection problem between 3.0.1 - 3.0.2 releases Özkan KIRIK via Snort-devel (Sep 03)
- Re: Snort3 Appid detection problem between 3.0.1 - 3.0.2 releases Özkan KIRIK via Snort-devel (Sep 03)