Snort mailing list archives
Re: AppId FTP service detector problem
From: Steve G via Snort-devel <snort-devel () lists snort org>
Date: Tue, 27 Oct 2020 19:15:33 -0700
thank you! i found in rules inappopate I DID NOT GO TO THESE SITES! IS THIS REAL OR EXAMPLE? On 10/23/20, Sg <sgimmlaw () gmail com> wrote:
the hacker wrote a script to trick snort one is locked -- Sent from my Alcatel A405DL Shravan Rangarajuvenkata (shrarang\) wrote:Thanks for reporting the issue! We will try to reproduce this issue locally and will reach out to you if we need any help. Thanks, Shravan From: Snort-devel <snort-devel-bounces () lists snort org> on behalf of Meridoff via Snort-devel <snort-devel () lists snort org> Reply-To: Meridoff <oagvozd () gmail com> Date: Friday, October 23, 2020 at 2:17 PM To: "snort-devel () lists snort org" <snort-devel () lists snort org> Subject: [Snort-devel] AppId FTP service detector problem Hello, I have manual rules with appid:ftp ,ftp_data and other ftp_* appids rules. None of them are working on FTP-traffic if I use snort3-malware-other rules (and may be some others). If I use only my manual appid ftp rule, then all is OK: ftp/ftp_data/ftp_passive and so on are WORKS fine! When I include snort3-malware-other rule file in config : manual appid rule doesn't work. Inspectors ftp-server/client/wizard/binder are in config. I've recognized that some rules with sid 21256 and 21255 can fluences to this problem. Some AppidDebug in my log when problem occurs: Oct 23 18:55:35 ns snort[29636]: AppIdDbg 10.0.1.3 49283 -> 193.232.174.1 21 6 AS=0 ID=0 ftp service candidate returned in-process (10) Oct 23 18:55:35 ns snort[29636]: AppIdDbg 10.0.1.3 49283 -> 193.232.174.1 21 6 AS=0 ID=0 smtp service candidate returned no-match (100) Oct 23 18:55:35 ns snort[29636]: AppIdDbg 10.0.1.3 49283 -> 193.232.174.1 21 6 AS=0 ID=0 ftp service candidate returned in-process (10) Oct 23 18:55:35 ns snort[29636]: AppIdDbg 10.0.1.3 49283 -> 193.232.174.1 21 6 AS=0 ID=0 pop3 client candidate returned in-process (10) Oct 23 18:55:35 ns snort[29636]: AppIdDbg 10.0.1.3 49283 -> 193.232.174.1 21 6 AS=0 ID=0 ftp service candidate returned success (0) Oct 23 18:55:35 ns snort[29636]: AppIdDbg 10.0.1.3 49283 -> 193.232.174.1 21 6 AS=0 ID=0 Published event for changes: service, version Oct 23 18:55:35 ns snort[29636]: AppIdDbg 10.0.1.3 49283 -> 193.232.174.1 21 6 AS=0 ID=0 ftp service detector returned in-process (10) Oct 23 18:55:35 ns snort[29636]: AppIdDbg 10.0.1.3 49283 -> 193.232.174.1 21 6 AS=0 ID=0 pop3 client candidate returned success (0) Oct 23 18:55:35 ns snort[29636]: AppIdDbg 10.0.1.3 49283 -> 193.232.174.1 21 6 AS=0 ID=0 ftp service detector returned in-process (10) Oct 23 18:55:41 ns snort[29636]: message repeated 11 times: [ AppIdDbg 10.0.1.3 49283 -> 193.232.174.1 21 6 AS=0 ID=0 ftp service detector returned in-process (10)] Oct 23 18:55:41 ns snort[29636]: AppIdDbg 10.0.1.3 49283 -> 193.232.174.1 21 6 AS=0 ID=0 Related flow created for 10.0.1.3-0 -> 193.232.174.1-44689 6 Oct 23 18:55:41 ns snort[29636]: AppIdDbg 10.0.1.3 49283 -> 193.232.174.1 21 6 AS=0 ID=0 ftp service detector returned in-process (10) Oct 23 18:55:41 ns snort[29636]: AppIdDbg 10.0.1.3 49283 -> 193.232.174.1 21 6 AS=0 ID=0 Published event for changes: payload Oct 23 18:55:41 ns snort[29636]: AppIdDbg 10.0.1.3 49284 -> 193.232.174.1 44689 6 AS=0 ID=0 Published event for changes: service Oct 23 18:55:41 ns snort[29636]: AppIdDbg 10.0.1.3 49284 -> 193.232.174.1 44689 6 AS=0 ID=0 Ignoring connection with service FTP Data (166) Oct 23 18:55:41 ns snort[29636]: AppIdDbg 10.0.1.3 49283 -> 193.232.174.1 21 6 AS=0 ID=0 ftp service detector returned in-process (10) Oct 23 18:55:41 ns snort[29636]: message repeated 2 times: [ AppIdDbg 10.0.1.3 49283 -> 193.232.174.1 21 6 AS=0 ID=0 ftp service detector returned in-process (10)] Oct 23 19:05:41 ns snort[29636]: AppIdDbg 193.232.174.1 21 -> 10.0.1.3 49283 6 AS=0 ID=0 New AppId mid-stream session Oct 23 19:05:41 ns snort[29636]: AppIdDbg 193.232.174.1 21 -> 10.0.1.3 49283 6 AS=0 ID=0 ftp service detector returned in-process (10) Oct 23 19:05:41 ns snort[29636]: AppIdDbg 193.232.174.1 21 -> 10.0.1.3 49283 6 AS=0 ID=0 Published event for changes: service Oct 23 19:05:42 ns snort[29636]: AppIdDbg 10.0.1.3 49283 -> 193.232.174.1 21 6 AS=0 ID=0 Packet out-of-order, not-ok mid-stream flow Thanks.
_______________________________________________ Snort-devel mailing list Snort-devel () lists snort org https://lists.snort.org/mailman/listinfo/snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- AppId FTP service detector problem Meridoff via Snort-devel (Oct 23)
- Re: AppId FTP service detector problem Shravan Rangarajuvenkata (shrarang) via Snort-devel (Oct 23)
- Re: AppId FTP service detector problem Sg via Snort-devel (Oct 26)
- Re: AppId FTP service detector problem Steve G via Snort-devel (Oct 27)
- Re: AppId FTP service detector problem Shravan Rangarajuvenkata (shrarang) via Snort-devel (Nov 04)
- Re: AppId FTP service detector problem Meridoff via Snort-devel (Nov 05)
- Message not available
- Message not available
- Message not available
- Re: AppId FTP service detector problem Kani Murthi (kamurthi) via Snort-devel (Nov 23)
- Re: AppId FTP service detector problem Rdtsc via Snort-devel (Nov 20)
- Re: AppId FTP service detector problem Kani Murthi (kamurthi) via Snort-devel (Nov 23)
- Re: AppId FTP service detector problem Steve G via Snort-devel (Dec 11)
- Re: AppId FTP service detector problem Joel Esler (jesler) via Snort-devel (Dec 14)
- Re: AppId FTP service detector problem Sg via Snort-devel (Oct 26)
- Re: AppId FTP service detector problem Shravan Rangarajuvenkata (shrarang) via Snort-devel (Oct 23)