Snort mailing list archives
Re: AppId FTP service detector problem
From: "Kani Murthi \(kamurthi\) via Snort-devel" <snort-devel () lists snort org>
Date: Fri, 20 Nov 2020 23:52:17 +0000
Hi, I could not reproduce the issue with the provided pcap. could you capture the traffic and enable AppidDebug log? make sure pcap and log contains details for same session. Thanks, Kani From: Rdtsc <oagvozd () gmail com> Date: Friday, November 20, 2020 at 10:09 AM To: kamurthi <kamurthi () cisco com> Cc: "snort-devel () lists snort org" <snort-devel () lists snort org> Subject: Re: [Snort-devel] AppId FTP service detector problem Sure, will do that. Sending pcaps: 1. ftpBad/ftpOk - are pcaps for bad and good cases from Wireshark on Windows 7 Client (where Ftp client runs) 2. ftpGateBad/ftpGateOk - are pcaps for bad and good cases from tcpdump on Linux Gate (where snort runs) пт, 20 нояб. 2020 г. в 09:07, Kani Murthi (kamurthi) <kamurthi () cisco com<mailto:kamurthi () cisco com>>: Hi, It looks like the pcap has been captured with “any” device option, which is causing psedo protocol issue. Could you capture the traffic with actual interface? Also, could you run it against snort3 to avoid any pcap related errors? Thanks, Kani From: Meridoff <oagvozd () gmail com<mailto:oagvozd () gmail com>> Date: Tuesday, November 10, 2020 at 2:41 PM To: "Shravan Rangarajuvenkata (shrarang)" <shrarang () cisco com<mailto:shrarang () cisco com>> Subject: Re: [Snort-devel] AppId FTP service detector problem Sure, here it is. My client is WIndows7 running FileZilla to go to anonymous ftp at ftp.botik.ru<http://ftp.botik.ru>. My gate is Linux with snort 3.0.1 (build 4), Lua 5.1, that do nat masquerade for Internet access from LAN. Snort is in NFQ/TAP mode. Nfqueue rule is setup OK and works. Using only 1 thread in snort (for simplicity). Configs and pcaps are included. Files description: 1. configBAD (when no alerts at all) - is the same as configOK (when alerts work fine), except included snort-malware-other.rules 2. m.rules - is my appid rules, in case of configOK rule "FTP" is alerted 3. pcap files - are the same FTP traffic for both cases - OK and BAD. ср, 4 нояб. 2020 г. в 17:44, Shravan Rangarajuvenkata (shrarang) <shrarang () cisco com<mailto:shrarang () cisco com>>: We tried to reproduce this issue locally but could not. Is it possible for you to send a pcap with the traffic for which you are seeing this issue? Can you also send your snort3 configuration (the Lua files)? Thanks, Shravan From: Snort-devel <snort-devel-bounces () lists snort org<mailto:snort-devel-bounces () lists snort org>> on behalf of "Shravan Rangarajuvenkata (shrarang) via Snort-devel" <snort-devel () lists snort org<mailto:snort-devel () lists snort org>> Reply-To: "Shravan Rangarajuvenkata (shrarang)" <shrarang () cisco com<mailto:shrarang () cisco com>> Date: Friday, October 23, 2020 at 5:12 PM To: Meridoff <oagvozd () gmail com<mailto:oagvozd () gmail com>>, "snort-devel () lists snort org<mailto:snort-devel () lists snort org>" <snort-devel () lists snort org<mailto:snort-devel () lists snort org>> Subject: Re: [Snort-devel] AppId FTP service detector problem Thanks for reporting the issue! We will try to reproduce this issue locally and will reach out to you if we need any help. Thanks, Shravan From: Snort-devel <snort-devel-bounces () lists snort org<mailto:snort-devel-bounces () lists snort org>> on behalf of Meridoff via Snort-devel <snort-devel () lists snort org<mailto:snort-devel () lists snort org>> Reply-To: Meridoff <oagvozd () gmail com<mailto:oagvozd () gmail com>> Date: Friday, October 23, 2020 at 2:17 PM To: "snort-devel () lists snort org<mailto:snort-devel () lists snort org>" <snort-devel () lists snort org<mailto:snort-devel () lists snort org>> Subject: [Snort-devel] AppId FTP service detector problem Hello, I have manual rules with appid:ftp ,ftp_data and other ftp_* appids rules. None of them are working on FTP-traffic if I use snort3-malware-other rules (and may be some others). If I use only my manual appid ftp rule, then all is OK: ftp/ftp_data/ftp_passive and so on are WORKS fine! When I include snort3-malware-other rule file in config : manual appid rule doesn't work. Inspectors ftp-server/client/wizard/binder are in config. I've recognized that some rules with sid 21256 and 21255 can fluences to this problem. Some AppidDebug in my log when problem occurs: Oct 23 18:55:35 ns snort[29636]: AppIdDbg 10.0.1.3 49283 -> 193.232.174.1 21 6 AS=0 ID=0 ftp service candidate returned in-process (10) Oct 23 18:55:35 ns snort[29636]: AppIdDbg 10.0.1.3 49283 -> 193.232.174.1 21 6 AS=0 ID=0 smtp service candidate returned no-match (100) Oct 23 18:55:35 ns snort[29636]: AppIdDbg 10.0.1.3 49283 -> 193.232.174.1 21 6 AS=0 ID=0 ftp service candidate returned in-process (10) Oct 23 18:55:35 ns snort[29636]: AppIdDbg 10.0.1.3 49283 -> 193.232.174.1 21 6 AS=0 ID=0 pop3 client candidate returned in-process (10) Oct 23 18:55:35 ns snort[29636]: AppIdDbg 10.0.1.3 49283 -> 193.232.174.1 21 6 AS=0 ID=0 ftp service candidate returned success (0) Oct 23 18:55:35 ns snort[29636]: AppIdDbg 10.0.1.3 49283 -> 193.232.174.1 21 6 AS=0 ID=0 Published event for changes: service, version Oct 23 18:55:35 ns snort[29636]: AppIdDbg 10.0.1.3 49283 -> 193.232.174.1 21 6 AS=0 ID=0 ftp service detector returned in-process (10) Oct 23 18:55:35 ns snort[29636]: AppIdDbg 10.0.1.3 49283 -> 193.232.174.1 21 6 AS=0 ID=0 pop3 client candidate returned success (0) Oct 23 18:55:35 ns snort[29636]: AppIdDbg 10.0.1.3 49283 -> 193.232.174.1 21 6 AS=0 ID=0 ftp service detector returned in-process (10) Oct 23 18:55:41 ns snort[29636]: message repeated 11 times: [ AppIdDbg 10.0.1.3 49283 -> 193.232.174.1 21 6 AS=0 ID=0 ftp service detector returned in-process (10)] Oct 23 18:55:41 ns snort[29636]: AppIdDbg 10.0.1.3 49283 -> 193.232.174.1 21 6 AS=0 ID=0 Related flow created for 10.0.1.3-0 -> 193.232.174.1-44689 6 Oct 23 18:55:41 ns snort[29636]: AppIdDbg 10.0.1.3 49283 -> 193.232.174.1 21 6 AS=0 ID=0 ftp service detector returned in-process (10) Oct 23 18:55:41 ns snort[29636]: AppIdDbg 10.0.1.3 49283 -> 193.232.174.1 21 6 AS=0 ID=0 Published event for changes: payload Oct 23 18:55:41 ns snort[29636]: AppIdDbg 10.0.1.3 49284 -> 193.232.174.1 44689 6 AS=0 ID=0 Published event for changes: service Oct 23 18:55:41 ns snort[29636]: AppIdDbg 10.0.1.3 49284 -> 193.232.174.1 44689 6 AS=0 ID=0 Ignoring connection with service FTP Data (166) Oct 23 18:55:41 ns snort[29636]: AppIdDbg 10.0.1.3 49283 -> 193.232.174.1 21 6 AS=0 ID=0 ftp service detector returned in-process (10) Oct 23 18:55:41 ns snort[29636]: message repeated 2 times: [ AppIdDbg 10.0.1.3 49283 -> 193.232.174.1 21 6 AS=0 ID=0 ftp service detector returned in-process (10)] Oct 23 19:05:41 ns snort[29636]: AppIdDbg 193.232.174.1 21 -> 10.0.1.3 49283 6 AS=0 ID=0 New AppId mid-stream session Oct 23 19:05:41 ns snort[29636]: AppIdDbg 193.232.174.1 21 -> 10.0.1.3 49283 6 AS=0 ID=0 ftp service detector returned in-process (10) Oct 23 19:05:41 ns snort[29636]: AppIdDbg 193.232.174.1 21 -> 10.0.1.3 49283 6 AS=0 ID=0 Published event for changes: service Oct 23 19:05:42 ns snort[29636]: AppIdDbg 10.0.1.3 49283 -> 193.232.174.1 21 6 AS=0 ID=0 Packet out-of-order, not-ok mid-stream flow Thanks.
_______________________________________________ Snort-devel mailing list Snort-devel () lists snort org https://lists.snort.org/mailman/listinfo/snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- AppId FTP service detector problem Meridoff via Snort-devel (Oct 23)
- Re: AppId FTP service detector problem Shravan Rangarajuvenkata (shrarang) via Snort-devel (Oct 23)
- Re: AppId FTP service detector problem Sg via Snort-devel (Oct 26)
- Re: AppId FTP service detector problem Steve G via Snort-devel (Oct 27)
- Re: AppId FTP service detector problem Shravan Rangarajuvenkata (shrarang) via Snort-devel (Nov 04)
- Re: AppId FTP service detector problem Meridoff via Snort-devel (Nov 05)
- Message not available
- Message not available
- Message not available
- Re: AppId FTP service detector problem Kani Murthi (kamurthi) via Snort-devel (Nov 23)
- Re: AppId FTP service detector problem Rdtsc via Snort-devel (Nov 20)
- Re: AppId FTP service detector problem Kani Murthi (kamurthi) via Snort-devel (Nov 23)
- Re: AppId FTP service detector problem Steve G via Snort-devel (Dec 11)
- Re: AppId FTP service detector problem Joel Esler (jesler) via Snort-devel (Dec 14)
- Re: AppId FTP service detector problem Sg via Snort-devel (Oct 26)
- Re: AppId FTP service detector problem Shravan Rangarajuvenkata (shrarang) via Snort-devel (Oct 23)