Snort mailing list archives

Re: AppId FTP service detector problem

From: "Kani Murthi \(kamurthi\) via Snort-devel" <snort-devel () lists snort org>
Date: Fri, 20 Nov 2020 06:07:15 +0000

Hi,
It looks like the pcap has been captured with “any” device option, which is causing psedo protocol issue. Could you 
capture the traffic with actual interface? Also, could you run it against snort3 to avoid any pcap related errors?

Thanks,
Kani
From: Meridoff <oagvozd () gmail com>
Date: Tuesday, November 10, 2020 at 2:41 PM
To: "Shravan Rangarajuvenkata (shrarang)" <shrarang () cisco com>
Subject: Re: [Snort-devel] AppId FTP service detector problem

Sure, here it is.

My client is WIndows7 running FileZilla to go to anonymous ftp at ftp.botik.ru<http://ftp.botik.ru>.

My gate is Linux with snort 3.0.1 (build 4), Lua 5.1, that do nat masquerade for  Internet access from LAN.

Snort is in NFQ/TAP mode. Nfqueue  rule is setup OK and works. Using only 1 thread in snort (for simplicity).

Configs and pcaps are included.

Files description:

1. configBAD (when no alerts at all) - is the same as configOK (when alerts work fine), except included 
snort-malware-other.rules
2. m.rules - is my appid rules, in case of configOK rule "FTP" is alerted
3. pcap files - are the same FTP traffic for both cases - OK and BAD.

ср, 4 нояб. 2020 г. в 17:44, Shravan Rangarajuvenkata (shrarang) <shrarang () cisco com<mailto:shrarang () cisco com>>:
We tried to reproduce this issue locally but could not.

Is it possible for you to send a pcap with the traffic for which you are seeing this issue? Can you also send your 
snort3 configuration (the Lua files)?

Thanks,
Shravan

From: Snort-devel <snort-devel-bounces () lists snort org<mailto:snort-devel-bounces () lists snort org>> on behalf of 
"Shravan Rangarajuvenkata (shrarang) via Snort-devel" <snort-devel () lists snort org<mailto:snort-devel () lists snort 
org>>
Reply-To: "Shravan Rangarajuvenkata (shrarang)" <shrarang () cisco com<mailto:shrarang () cisco com>>
Date: Friday, October 23, 2020 at 5:12 PM
To: Meridoff <oagvozd () gmail com<mailto:oagvozd () gmail com>>, "snort-devel () lists snort org<mailto:snort-devel () 
lists snort org>" <snort-devel () lists snort org<mailto:snort-devel () lists snort org>>
Subject: Re: [Snort-devel] AppId FTP service detector problem

Thanks for reporting the issue! We will try to reproduce this issue locally and will reach out to you if we need any 
help.

Thanks,
Shravan

From: Snort-devel <snort-devel-bounces () lists snort org<mailto:snort-devel-bounces () lists snort org>> on behalf of 
Meridoff via Snort-devel <snort-devel () lists snort org<mailto:snort-devel () lists snort org>>
Reply-To: Meridoff <oagvozd () gmail com<mailto:oagvozd () gmail com>>
Date: Friday, October 23, 2020 at 2:17 PM
To: "snort-devel () lists snort org<mailto:snort-devel () lists snort org>" <snort-devel () lists snort 
org<mailto:snort-devel () lists snort org>>
Subject: [Snort-devel] AppId FTP service detector problem

Hello, I have manual rules with appid:ftp ,ftp_data and other ftp_* appids rules.

None of them are working on FTP-traffic if I use snort3-malware-other rules (and may be some others).

If I use only my manual appid ftp rule, then all is OK: ftp/ftp_data/ftp_passive and so on are WORKS fine!

When I include  snort3-malware-other rule file in config : manual appid rule doesn't work.

Inspectors ftp-server/client/wizard/binder are in config.

I've recognized that some rules with sid 21256 and 21255 can fluences to this problem.

Some AppidDebug in my log when problem occurs:

Oct 23 18:55:35 ns snort[29636]: AppIdDbg 10.0.1.3 49283 -> 193.232.174.1 21 6 AS=0 ID=0 ftp service candidate returned 
in-process (10)
Oct 23 18:55:35 ns snort[29636]: AppIdDbg 10.0.1.3 49283 -> 193.232.174.1 21 6 AS=0 ID=0 smtp service candidate 
returned no-match (100)
Oct 23 18:55:35 ns snort[29636]: AppIdDbg 10.0.1.3 49283 -> 193.232.174.1 21 6 AS=0 ID=0 ftp service candidate returned 
in-process (10)
Oct 23 18:55:35 ns snort[29636]: AppIdDbg 10.0.1.3 49283 -> 193.232.174.1 21 6 AS=0 ID=0 pop3 client candidate returned 
in-process (10)
Oct 23 18:55:35 ns snort[29636]: AppIdDbg 10.0.1.3 49283 -> 193.232.174.1 21 6 AS=0 ID=0 ftp service candidate returned 
success (0)
Oct 23 18:55:35 ns snort[29636]: AppIdDbg 10.0.1.3 49283 -> 193.232.174.1 21 6 AS=0 ID=0 Published event for changes: 
service, version
Oct 23 18:55:35 ns snort[29636]: AppIdDbg 10.0.1.3 49283 -> 193.232.174.1 21 6 AS=0 ID=0 ftp service detector returned 
in-process (10)
Oct 23 18:55:35 ns snort[29636]: AppIdDbg 10.0.1.3 49283 -> 193.232.174.1 21 6 AS=0 ID=0 pop3 client candidate returned 
success (0)
Oct 23 18:55:35 ns snort[29636]: AppIdDbg 10.0.1.3 49283 -> 193.232.174.1 21 6 AS=0 ID=0 ftp service detector returned 
in-process (10)
Oct 23 18:55:41 ns snort[29636]: message repeated 11 times: [ AppIdDbg 10.0.1.3 49283 -> 193.232.174.1 21 6 AS=0 ID=0 
ftp service detector returned in-process (10)]
Oct 23 18:55:41 ns snort[29636]: AppIdDbg 10.0.1.3 49283 -> 193.232.174.1 21 6 AS=0 ID=0 Related flow created for 
10.0.1.3-0 -> 193.232.174.1-44689 6
Oct 23 18:55:41 ns snort[29636]: AppIdDbg 10.0.1.3 49283 -> 193.232.174.1 21 6 AS=0 ID=0 ftp service detector returned 
in-process (10)
Oct 23 18:55:41 ns snort[29636]: AppIdDbg 10.0.1.3 49283 -> 193.232.174.1 21 6 AS=0 ID=0 Published event for changes: 
payload
Oct 23 18:55:41 ns snort[29636]: AppIdDbg 10.0.1.3 49284 -> 193.232.174.1 44689 6 AS=0 ID=0 Published event for 
changes: service
Oct 23 18:55:41 ns snort[29636]: AppIdDbg 10.0.1.3 49284 -> 193.232.174.1 44689 6 AS=0 ID=0 Ignoring connection with 
service FTP Data (166)
Oct 23 18:55:41 ns snort[29636]: AppIdDbg 10.0.1.3 49283 -> 193.232.174.1 21 6 AS=0 ID=0 ftp service detector returned 
in-process (10)
Oct 23 18:55:41 ns snort[29636]: message repeated 2 times: [ AppIdDbg 10.0.1.3 49283 -> 193.232.174.1 21 6 AS=0 ID=0 
ftp service detector returned in-process (10)]
Oct 23 19:05:41 ns snort[29636]: AppIdDbg 193.232.174.1 21 -> 10.0.1.3 49283 6 AS=0 ID=0 New AppId mid-stream session
Oct 23 19:05:41 ns snort[29636]: AppIdDbg 193.232.174.1 21 -> 10.0.1.3 49283 6 AS=0 ID=0 ftp service detector returned 
in-process (10)
Oct 23 19:05:41 ns snort[29636]: AppIdDbg 193.232.174.1 21 -> 10.0.1.3 49283 6 AS=0 ID=0 Published event for changes: 
service
Oct 23 19:05:42 ns snort[29636]: AppIdDbg 10.0.1.3 49283 -> 193.232.174.1 21 6 AS=0 ID=0 Packet out-of-order, not-ok 
mid-stream flow

Thanks.

_______________________________________________
Snort-devel mailing list
Snort-devel () lists snort org
https://lists.snort.org/mailman/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!

Current thread:

AppId FTP service detector problem Meridoff via Snort-devel (Oct 23)
- Re: AppId FTP service detector problem Shravan Rangarajuvenkata (shrarang) via Snort-devel (Oct 23)
  - Re: AppId FTP service detector problem Sg via Snort-devel (Oct 26)
    - Re: AppId FTP service detector problem Steve G via Snort-devel (Oct 27)
  - Re: AppId FTP service detector problem Shravan Rangarajuvenkata (shrarang) via Snort-devel (Nov 04)
    - Re: AppId FTP service detector problem Meridoff via Snort-devel (Nov 05)
    - Message not available
    - Message not available
    - Message not available
    - Re: AppId FTP service detector problem Kani Murthi (kamurthi) via Snort-devel (Nov 23)
    - Re: AppId FTP service detector problem Rdtsc via Snort-devel (Nov 20)
    - Re: AppId FTP service detector problem Kani Murthi (kamurthi) via Snort-devel (Nov 23)
    - Re: AppId FTP service detector problem Steve G via Snort-devel (Dec 11)
    - Re: AppId FTP service detector problem Joel Esler (jesler) via Snort-devel (Dec 14)
- Re: AppId FTP service detector problem Sg via Snort-devel (Oct 26)