Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: AppId FTP service detector problem

From: "Joel Esler \(jesler\) via Snort-devel" <snort-devel () lists snort org>
Date: Mon, 14 Dec 2020 14:34:28 +0000
This user has been banned from the list.  Apologies for any inconvenience.


On Dec 11, 2020, at 10:47 PM, Steve G via Snort-devel <snort-devel () lists snort org> wrote:

Hi can you please send me screen shot or 'kiddy porn' if you remember
i asked you to arcihve all date for security reasons.would you please
help-bless you!

On 11/20/20, Kani Murthi (kamurthi) via Snort-devel
<snort-devel () lists snort org <mailto:snort-devel () lists snort org>> wrote:

Hi,
I could not reproduce the issue with the provided pcap. could you capture
the traffic and enable AppidDebug log? make sure pcap and log contains
details for same session.
Thanks,
Kani
From: Rdtsc <oagvozd () gmail com>
Date: Friday, November 20, 2020 at 10:09 AM
To: kamurthi <kamurthi () cisco com>
Cc: "snort-devel () lists snort org" <snort-devel () lists snort org>
Subject: Re: [Snort-devel] AppId FTP service detector problem

Sure, will do that.

Sending pcaps:

1. ftpBad/ftpOk - are pcaps for bad and good cases from Wireshark on Windows
7 Client (where Ftp client runs)

2. ftpGateBad/ftpGateOk - are pcaps for bad and good cases from tcpdump on
Linux Gate (where snort runs)




пт, 20 нояб. 2020 г. в 09:07, Kani Murthi (kamurthi)
<kamurthi () cisco com <mailto:kamurthi () cisco com><mailto:kamurthi () cisco com <mailto:kamurthi () cisco com>>>:
Hi,
It looks like the pcap has been captured with “any” device option, which is
causing psedo protocol issue. Could you capture the traffic with actual
interface? Also, could you run it against snort3 to avoid any pcap related
errors?

Thanks,
Kani
From: Meridoff <oagvozd () gmail com <mailto:oagvozd () gmail com><mailto:oagvozd () gmail com <mailto:oagvozd () 
gmail com>>>
Date: Tuesday, November 10, 2020 at 2:41 PM
To: "Shravan Rangarajuvenkata (shrarang)"
<shrarang () cisco com <mailto:shrarang () cisco com><mailto:shrarang () cisco com <mailto:shrarang () cisco com>>>
Subject: Re: [Snort-devel] AppId FTP service detector problem

Sure, here it is.

My client is WIndows7 running FileZilla to go to anonymous ftp at
ftp.botik.ru <http://ftp.botik.ru/><http://ftp.botik.ru <http://ftp.botik.ru/>>.

My gate is Linux with snort 3.0.1 (build 4), Lua 5.1, that do nat masquerade
for  Internet access from LAN.

Snort is in NFQ/TAP mode. Nfqueue  rule is setup OK and works. Using only 1
thread in snort (for simplicity).

Configs and pcaps are included.

Files description:

1. configBAD (when no alerts at all) - is the same as configOK (when alerts
work fine), except included snort-malware-other.rules
2. m.rules - is my appid rules, in case of configOK rule "FTP" is alerted
3. pcap files - are the same FTP traffic for both cases - OK and BAD.

ср, 4 нояб. 2020 г. в 17:44, Shravan Rangarajuvenkata (shrarang)
<shrarang () cisco com <mailto:shrarang () cisco com><mailto:shrarang () cisco com <mailto:shrarang () cisco com>>>:
We tried to reproduce this issue locally but could not.

Is it possible for you to send a pcap with the traffic for which you are
seeing this issue? Can you also send your snort3 configuration (the Lua
files)?

Thanks,
Shravan

From: Snort-devel
<snort-devel-bounces () lists snort org <mailto:snort-devel-bounces () lists snort org><mailto:snort-devel-bounces 
() lists snort org <mailto:snort-devel-bounces () lists snort org>>>
on behalf of "Shravan Rangarajuvenkata (shrarang) via Snort-devel"
<snort-devel () lists snort org <mailto:snort-devel () lists snort org><mailto:snort-devel () lists snort org 
<mailto:snort-devel () lists snort org>>>
Reply-To: "Shravan Rangarajuvenkata (shrarang)"
<shrarang () cisco com <mailto:shrarang () cisco com><mailto:shrarang () cisco com <mailto:shrarang () cisco com>>>
Date: Friday, October 23, 2020 at 5:12 PM
To: Meridoff <oagvozd () gmail com <mailto:oagvozd () gmail com><mailto:oagvozd () gmail com <mailto:oagvozd () 
gmail com>>>,
"snort-devel () lists snort org <mailto:snort-devel () lists snort org><mailto:snort-devel () lists snort org 
<mailto:snort-devel () lists snort org>>"
<snort-devel () lists snort org <mailto:snort-devel () lists snort org><mailto:snort-devel () lists snort org 
<mailto:snort-devel () lists snort org>>>
Subject: Re: [Snort-devel] AppId FTP service detector problem

Thanks for reporting the issue! We will try to reproduce this issue locally
and will reach out to you if we need any help.

Thanks,
Shravan

From: Snort-devel
<snort-devel-bounces () lists snort org <mailto:snort-devel-bounces () lists snort org><mailto:snort-devel-bounces 
() lists snort org <mailto:snort-devel-bounces () lists snort org>>>
on behalf of Meridoff via Snort-devel
<snort-devel () lists snort org <mailto:snort-devel () lists snort org><mailto:snort-devel () lists snort org 
<mailto:snort-devel () lists snort org>>>
Reply-To: Meridoff <oagvozd () gmail com <mailto:oagvozd () gmail com><mailto:oagvozd () gmail com <mailto:oagvozd 
() gmail com>>>
Date: Friday, October 23, 2020 at 2:17 PM
To: "snort-devel () lists snort org <mailto:snort-devel () lists snort org><mailto:snort-devel () lists snort org 
<mailto:snort-devel () lists snort org>>"
<snort-devel () lists snort org <mailto:snort-devel () lists snort org><mailto:snort-devel () lists snort org 
<mailto:snort-devel () lists snort org>>>
Subject: [Snort-devel] AppId FTP service detector problem

Hello, I have manual rules with appid:ftp ,ftp_data and other ftp_* appids
rules.

None of them are working on FTP-traffic if I use snort3-malware-other rules
(and may be some others).

If I use only my manual appid ftp rule, then all is OK:
ftp/ftp_data/ftp_passive and so on are WORKS fine!

When I include  snort3-malware-other rule file in config : manual appid rule
doesn't work.

Inspectors ftp-server/client/wizard/binder are in config.

I've recognized that some rules with sid 21256 and 21255 can fluences to
this problem.

Some AppidDebug in my log when problem occurs:

Oct 23 18:55:35 ns snort[29636]: AppIdDbg 10.0.1.3 49283 -> 193.232.174.1 21
6 AS=0 ID=0 ftp service candidate returned in-process (10)
Oct 23 18:55:35 ns snort[29636]: AppIdDbg 10.0.1.3 49283 -> 193.232.174.1 21
6 AS=0 ID=0 smtp service candidate returned no-match (100)
Oct 23 18:55:35 ns snort[29636]: AppIdDbg 10.0.1.3 49283 -> 193.232.174.1 21
6 AS=0 ID=0 ftp service candidate returned in-process (10)
Oct 23 18:55:35 ns snort[29636]: AppIdDbg 10.0.1.3 49283 -> 193.232.174.1 21
6 AS=0 ID=0 pop3 client candidate returned in-process (10)
Oct 23 18:55:35 ns snort[29636]: AppIdDbg 10.0.1.3 49283 -> 193.232.174.1 21
6 AS=0 ID=0 ftp service candidate returned success (0)
Oct 23 18:55:35 ns snort[29636]: AppIdDbg 10.0.1.3 49283 -> 193.232.174.1 21
6 AS=0 ID=0 Published event for changes: service, version
Oct 23 18:55:35 ns snort[29636]: AppIdDbg 10.0.1.3 49283 -> 193.232.174.1 21
6 AS=0 ID=0 ftp service detector returned in-process (10)
Oct 23 18:55:35 ns snort[29636]: AppIdDbg 10.0.1.3 49283 -> 193.232.174.1 21
6 AS=0 ID=0 pop3 client candidate returned success (0)
Oct 23 18:55:35 ns snort[29636]: AppIdDbg 10.0.1.3 49283 -> 193.232.174.1 21
6 AS=0 ID=0 ftp service detector returned in-process (10)
Oct 23 18:55:41 ns snort[29636]: message repeated 11 times: [ AppIdDbg
10.0.1.3 49283 -> 193.232.174.1 21 6 AS=0 ID=0 ftp service detector returned
in-process (10)]
Oct 23 18:55:41 ns snort[29636]: AppIdDbg 10.0.1.3 49283 -> 193.232.174.1 21
6 AS=0 ID=0 Related flow created for 10.0.1.3-0 -> 193.232.174.1-44689 6
Oct 23 18:55:41 ns snort[29636]: AppIdDbg 10.0.1.3 49283 -> 193.232.174.1 21
6 AS=0 ID=0 ftp service detector returned in-process (10)
Oct 23 18:55:41 ns snort[29636]: AppIdDbg 10.0.1.3 49283 -> 193.232.174.1 21
6 AS=0 ID=0 Published event for changes: payload
Oct 23 18:55:41 ns snort[29636]: AppIdDbg 10.0.1.3 49284 -> 193.232.174.1
44689 6 AS=0 ID=0 Published event for changes: service
Oct 23 18:55:41 ns snort[29636]: AppIdDbg 10.0.1.3 49284 -> 193.232.174.1
44689 6 AS=0 ID=0 Ignoring connection with service FTP Data (166)
Oct 23 18:55:41 ns snort[29636]: AppIdDbg 10.0.1.3 49283 -> 193.232.174.1 21
6 AS=0 ID=0 ftp service detector returned in-process (10)
Oct 23 18:55:41 ns snort[29636]: message repeated 2 times: [ AppIdDbg
10.0.1.3 49283 -> 193.232.174.1 21 6 AS=0 ID=0 ftp service detector returned
in-process (10)]
Oct 23 19:05:41 ns snort[29636]: AppIdDbg 193.232.174.1 21 -> 10.0.1.3 49283
6 AS=0 ID=0 New AppId mid-stream session
Oct 23 19:05:41 ns snort[29636]: AppIdDbg 193.232.174.1 21 -> 10.0.1.3 49283
6 AS=0 ID=0 ftp service detector returned in-process (10)
Oct 23 19:05:41 ns snort[29636]: AppIdDbg 193.232.174.1 21 -> 10.0.1.3 49283
6 AS=0 ID=0 Published event for changes: service
Oct 23 19:05:42 ns snort[29636]: AppIdDbg 10.0.1.3 49283 -> 193.232.174.1 21
6 AS=0 ID=0 Packet out-of-order, not-ok mid-stream flow

Thanks.



_______________________________________________
Snort-devel mailing list
Snort-devel () lists snort org <mailto:Snort-devel () lists snort org>
https://lists.snort.org/mailman/listinfo/snort-devel <https://lists.snort.org/mailman/listinfo/snort-devel>

Please visit http://blog.snort.org <http://blog.snort.org/> for the latest news about Snort!

Attachment: smime.p7s
Description: 

_______________________________________________
Snort-devel mailing list
Snort-devel () lists snort org
https://lists.snort.org/mailman/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: