Snort mailing list archives
AppID and OpenVPN (snort 3 on FreeBSD 12.x)
From: mike tancsa <mike () sentex net>
Date: Wed, 11 Aug 2021 09:45:38 -0400
I am just starting to experiment with snort3 and was trying out some local rulesets that I think should work, but are not. The first rule does log, so so far so good alert icmp $HOME_NET any -> 8.8.8.8/32 any (msg:"ICMP connection test"; sid:1000001; rev:1;) 8/11-09:27:26.408136 [**] [1:1000001:1] "ICMP connection test" [**] [Priority: 0] {ICMP} 192.168.0.67 -> 8.8.8.8 But I cant get the second to fire for some reason. alert udp any any -> any any ( msg:"OpenVPN found"; appids:"OpenVPN"; sid:1000002; rev:1; ) I am using UDP for the protocol, but its on a non standard port. I think I added the port to the right location (content_group_port_services_2pac_old.lua) -- OpenVPN {353, 1194, 6}, {353, 1194, 17}, {353, 11600, 17}, but it still does not pick it up. Also, is it all just port based, or does the AppID engine have enough smarts to recognize the protocol if its running on an arbitrary port ? I am using snort3 from the ports. In the app ID stats, I do get 1628612851,__unknown,83634,820169 1628612851,DNS,1570,4699 1628612851,Firefox,10558,297761 1628612851,HTTP,41289,1290390 1628612851,OpenSSH,4743,4196 1628612851,RTP,606476,606476 1628612851,SSH,4743,4196 1628612851,IMAPS,15537,605189 1628612851,HTTPS,2036,6811 1628612851,MDNS,1520,0 I guess its just part of "unknown" ? # snort -v -c /usr/local/etc/snort/snort.lua -i em0 -l /var/log/snort/ -------------------------------------------------- o")~ Snort++ 3.1.7.0 -------------------------------------------------- Loading /usr/local/etc/snort/snort.lua: Loading snort_defaults.lua: Finished snort_defaults.lua: Loading file_magic.lua: Finished file_magic.lua: Lua Allowlist Keywords for /usr/local/etc/snort/snort.lua: default_classifications, default_ftp_server, default_gtp, default_hi_port_scan, default_low_port_scan, default_med_port_scan, default_references, default_smtp, default_variables, default_wizard, file_magic, ftp_command_specs, gtp_v0_info, gtp_v0_msg, gtp_v1_info, gtp_v1_msg, gtp_v2_info, gtp_v2_msg, http_methods, icmp_hi_sweep, icmp_low_sweep, icmp_med_sweep, ip_hi_decoy, ip_hi_dist, ip_hi_proto, ip_hi_sweep, ip_low_decoy, ip_low_dist, ip_low_proto, ip_low_sweep, ip_med_decoy, ip_med_dist, ip_med_proto, ip_med_sweep, netflow_versions, sip_methods, smtp_default_alt_max_command_lines, tcp_hi_decoy, tcp_hi_dist, tcp_hi_ports, tcp_hi_sweep, tcp_low_decoy, tcp_low_dist, tcp_low_ports, tcp_low_sweep, tcp_med_decoy, tcp_med_dist, tcp_med_ports, tcp_med_sweep, telnet_commands, udp_hi_decoy, udp_hi_dist, udp_hi_ports, udp_hi_sweep, udp_low_decoy, udp_low_dist, udp_low_ports, udp_low_sweep, udp_med_decoy, udp_med_dist, udp_med_ports, udp_med_sweep ssh hosts host_cache pop so_proxy stream_tcp smtp gtp_inspect packets dce_http_proxy stream_icmp normalizer alerts file_log alert_fast ips process binder wizard stream_udp appid file_id ftp_data search_engine ftp_server port_scan dce_http_server dce_tcp dce_smb telnet ssl sip rpc_decode netflow iec104 http2_inspect http_inspect modbus host_tracker stream_user stream_ip back_orifice classifications dnp3 active ftp_client decode daq stream references arp_spoof output trace dns network dce_udp imap stream_file Finished /usr/local/etc/snort/snort.lua: Loading /usr/local/etc/snort/rules/snort3-community-rules/snort3-community.rules: Finished /usr/local/etc/snort/rules/snort3-community-rules/snort3-community.rules: Loading ips.rules: Loading /usr/local/etc/snort/rules/snort3-app-detect.rules: Finished /usr/local/etc/snort/rules/snort3-app-detect.rules: Loading /usr/local/etc/snort/rules/snort3-browser-chrome.rules: Finished /usr/local/etc/snort/rules/snort3-browser-chrome.rules: Loading /usr/local/etc/snort/rules/snort3-sql.rules: Finished /usr/local/etc/snort/rules/snort3-sql.rules: Loading /usr/local/etc/snort/rules/snort3-x11.rules: Finished /usr/local/etc/snort/rules/snort3-x11.rules: Loading /usr/local/etc/snort/rules/local.rules: Finished /usr/local/etc/snort/rules/local.rules: Finished ips.rules: -------------------------------------------------- rule counts total rules loaded: 1452 duplicate rules: 2 text rules: 867 builtin rules: 585 option chains: 1452 chain headers: 507 -------------------------------------------------- port rule counts tcp udp icmp ip any 648 4 1 0 src 135 2 0 0 dst 564 98 0 0 both 0 1 0 0 total 1347 105 1 0 -------------------------------------------------- ips policies rule stats id loaded shared enabled file 0 1452 2 1452 /usr/local/etc/snort/snort.lua -------------------------------------------------- flowbits defined: 26 not checked: 16 not set: 4 -------------------------------------------------- service rule counts to-srv to-cli dns: 89 2 drda: 2 0 ftp: 7 2 ftp-data: 0 17 http: 499 101 http2: 499 101 imap: 0 17 irc: 4 1 mysql: 1 0 netbios-ssn: 15 1 pop3: 0 17 smtp: 25 0 ssl: 14 31 telnet: 1 0 total: 1156 290 -------------------------------------------------- fast pattern port groups src dst any packet: 14 30 2 -------------------------------------------------- fast pattern service groups to-srv to-cli packet: 11 7 key: 2 0 header: 2 5 body: 2 0 file: 2 5 method: 2 0 -------------------------------------------------- search engine instances: 80 patterns: 1801 pattern chars: 38436 num states: 29742 num match states: 1804 memory scale: KB total memory: 841.234 pattern memory: 107.809 match list memory: 297.266 transition memory: 426.16 -------------------------------------------------- Inspection Policy : policy id 0 : /usr/local/etc/snort/snort.lua -------------------------------------------------- appid: app_detector_dir: /usr/local/etc/snort/appid app_stats_period: 300 app_stats_rollover_size: 20971520 list_odp_detectors: disabled tp_appid_stats_enable: disabled tp_appid_config_dump: disabled log_all_sessions: disabled log_stats: enabled memcap: 1048576 -------------------------------------------------- arp_spoof: -------------------------------------------------- back_orifice: -------------------------------------------------- binder: bindings: { when = { role = server, proto = udp, ports = 53 }, use = { type = dns } } { when = { role = server, proto = tcp, ports = 53 }, use = { type = dns } } { when = { role = server, proto = tcp, ports = 111 }, use = { type = rpc_decode } } { when = { role = server, proto = tcp, ports = 502 }, use = { type = modbus } } { when = { role = server, proto = tcp, ports = 2123 2152 3386 }, use = { type = gtp_inspect } } { when = { role = server, proto = tcp, ports = 2404 }, use = { type = iec104 } } { when = { service = dcerpc, proto = tcp }, use = { type = dce_tcp } } { when = { service = dcerpc, proto = udp }, use = { type = dce_udp } } { when = { service = netflow, proto = udp }, use = { type = netflow } } { when = { service = netbios-ssn }, use = { type = dce_smb } } { when = { service = dce_http_server }, use = { type = dce_http_server } } { when = { service = dce_http_proxy }, use = { type = dce_http_proxy } } { when = { service = dnp3 }, use = { type = dnp3 } } { when = { service = dns }, use = { type = dns } } { when = { service = ftp }, use = { type = ftp_server } } { when = { service = ftp-data }, use = { type = ftp_data } } { when = { service = gtp }, use = { type = gtp_inspect } } { when = { service = imap }, use = { type = imap } } { when = { service = http }, use = { type = http_inspect } } { when = { service = http2 }, use = { type = http2_inspect } } { when = { service = iec104 }, use = { type = iec104 } } { when = { service = modbus }, use = { type = modbus } } { when = { service = pop3 }, use = { type = pop } } { when = { service = ssh }, use = { type = ssh } } { when = { service = sip }, use = { type = sip } } { when = { service = smtp }, use = { type = smtp } } { when = { service = ssl }, use = { type = ssl } } { when = { service = sunrpc }, use = { type = rpc_decode } } { when = { service = telnet }, use = { type = telnet } } { when = { }, use = { type = wizard } } -------------------------------------------------- dce_http_proxy: -------------------------------------------------- dce_http_server: -------------------------------------------------- dce_smb: limit_alerts: enabled disable_defrag: disabled max_frag_len: 65535 policy: WinXP reassemble_threshold: 0 smb_fingerprint_policy: disabled smb_max_chain: 3 smb_max_compound: 3 valid_smb_versions: all smb_file_depth: 16384 smb_invalid_shares: none smb_legacy_mode: disabled smb_max_credit: 8192 -------------------------------------------------- dce_tcp: limit_alerts: enabled disable_defrag: disabled max_frag_len: 65535 policy: WinXP reassemble_threshold: 0 -------------------------------------------------- dce_udp: limit_alerts: enabled disable_defrag: disabled max_frag_len: 65535 -------------------------------------------------- dnp3: check_crc: disabled -------------------------------------------------- dns: -------------------------------------------------- file_id: enable_type: enabled type_depth: 1460 enable_signature: disabled block_timeout_lookup: disabled enable_capture: disabled lookup_timeout: 2 max_files_cached: 65536 max_files_per_flow: 128 show_data_depth: 100 trace_type: disabled trace_signature: disabled trace_stream: disabled verdict_delay: 0 -------------------------------------------------- file_log: log_pkt_time: enabled log_sys_time: disabled -------------------------------------------------- ftp_client: bounce: disabled ignore_telnet_erase_cmds: disabled max_resp_len: 4294967295 telnet_cmds: disabled -------------------------------------------------- ftp_data: -------------------------------------------------- ftp_server: check_encrypted: disabled def_max_param_len: 100 encrypted_traffic: disabled ignore_data_chan: disabled ignore_telnet_erase_cmds: disabled telnet_cmds: disabled print_cmds: disabled -------------------------------------------------- gtp_inspect: -------------------------------------------------- http2_inspect: concurrent_streams_limit: 100 -------------------------------------------------- http_inspect: request_depth: -1 (unlimited) response_depth: -1 (unlimited) unzip: enabled normalize_utf: enabled decompress_pdf: disabled decompress_swf: disabled decompress_zip: disabled script_detection: disabled normalize_javascript: disabled max_javascript_whitespaces: 200 js_normalization_depth: 0 percent_u: disabled utf8: enabled utf8_bare_byte: disabled iis_unicode: disabled iis_unicode_code_page: 1252 iis_double_decode: enabled oversize_dir_length: 300 backslash_to_slash: enabled plus_to_space: enabled simplify_path: enabled xff_headers: x-forwarded-for true-client-ip request_body_app_detection: disabled -------------------------------------------------- iec104: -------------------------------------------------- imap: b64_decode_depth: -1 (unlimited) qp_decode_depth: -1 (unlimited) uu_decode_depth: -1 (unlimited) bitenc_decode_depth: -1 (unlimited) decompress_pdf: disabled decompress_swf: disabled decompress_zip: disabled -------------------------------------------------- modbus: -------------------------------------------------- netflow: update_timeout: 3600 -------------------------------------------------- normalizer: ip4: disabled ip6: disabled icmp4: disabled icmp6: disabled tcp: enabled tcp: { ecn = disabled, block = disabled, rsv = disabled, pad = disabled, req_urg = disabled, req_pay = disabled, req_urp = disabled, urp = disabled, ips = enabled, trim = disabled } -------------------------------------------------- pop: b64_decode_depth: -1 (unlimited) qp_decode_depth: -1 (unlimited) uu_decode_depth: -1 (unlimited) bitenc_decode_depth: -1 (unlimited) decompress_pdf: disabled decompress_swf: disabled decompress_zip: disabled -------------------------------------------------- port_scan: memcap: 10485760 protos: all scan_types: all alert_all: disabled include_midstream: disabled tcp_window: 90 udp_window: 90 ip_window: 90 icmp_window: 90 -------------------------------------------------- rpc_decode: -------------------------------------------------- sip: ignore_call_channel: disabled max_call_id_len: 256 max_contact_len: 256 max_content_len: 1024 max_dialogs: 4 max_from_len: 256 max_requestName_len: 20 max_to_len: 256 max_uri_len: 256 max_via_len: 1024 methods: invite cancel ack bye register options -------------------------------------------------- smtp: normalize: none normalize_cmds: ATRN AUTH BDAT DATA DEBUG EHLO EMAL ESAM ESND ESOM ETRN EVFY EXPN HELO HELP IDENT MAIL NOOP ONEX QUEU QUIT RCPT RSET SAML SEND STARTTLS SOML TICK TIME TURN TURNME VERB VRFY X-EXPS XADR XAUTH XCIR XEXCH50 XGEN XLICENSE X-LINK2STATE XQUE XSTA XTRN XUSR CHUNKING X-ADAT X-DRCP X-ERCP X-EXCH50 ignore_tls_data: disabled max_command_line_len: 512 alt_max_command_line_len: { {ATRN, 255}, {AUTH, 246}, {BDAT, 255}, {DATA, 246}, {DEBUG, 255}, {EHLO, 500}, {EMAL, 255}, {ESAM, 255}, {ESND, 255}, {ESOM, 255}, {ETRN, 500}, {EVFY, 255}, {EXPN, 255}, {HELO, 500}, {HELP, 500}, {IDENT, 255}, {MAIL, 260}, {NOOP, 255}, {ONEX, 246}, {QUEU, 246}, {QUIT, 246}, {RCPT, 300}, {RSET, 255}, {SAML, 246}, {SEND, 246}, {SIZE, 255}, {STARTTLS, 246}, {SOML, 246}, {TICK, 246}, {TIME, 246}, {TURN, 246}, {TURNME, 246}, {VERB, 246}, {VRFY, 255}, {X-EXPS, 246}, {XADR, 246}, {XAUTH, 246}, {XCIR, 246}, {XEXCH50, 246}, {XGEN, 246}, {XLICENSE, 246}, {X-LINK2STATE, 246}, {XQUE, 246}, {XSTA, 246}, {XTRN, 246}, {XUSR, 246} } max_header_line_len: 1000 max_auth_command_line_len: 1000 max_response_line_length: 512 xlink2state: alert invalid_cmds: none auth_cmds: AUTH X-EXPS XAUTH binary_data_cmds: BDAT XEXCH50 data_cmds: DATA valid_cmds: ATRN AUTH BDAT DATA DEBUG EHLO EMAL ESAM ESND ESOM ETRN EVFY EXPN HELO HELP IDENT MAIL NOOP ONEX QUEU QUIT RCPT RSET SAML SEND SIZE STARTTLS SOML TICK TIME TURN TURNME VERB VRFY X-EXPS XADR XAUTH XCIR XEXCH50 XGEN XLICENSE X-LINK2STATE XQUE XSTA XTRN XUSR * CHUNKING X-ADAT X-DRCP X-ERCP X-EXCH50 b64_decode_depth: -1 (unlimited) qp_decode_depth: -1 (unlimited) uu_decode_depth: -1 (unlimited) bitenc_decode_depth: -1 (unlimited) ignore_data: disabled decompress_pdf: disabled decompress_swf: disabled decompress_zip: disabled log_mailfrom: disabled log_rcptto: disabled log_filename: enabled log_email_hdrs: disabled -------------------------------------------------- so_proxy: -------------------------------------------------- ssh: max_encrypted_packets: 25 max_client_bytes: 19600 max_server_version_len: 80 -------------------------------------------------- ssl: trust_servers: disabled max_heartbeat_length: 0 -------------------------------------------------- stream: ip_frags_only: disabled max_flows: 476288 max_aux_ip: 16 pruning_timeout: 30 ip_cache: { idle_timeout = 180, cap_weight = 0 } tcp_cache: { idle_timeout = 3600, cap_weight = 11000 } udp_cache: { idle_timeout = 180, cap_weight = 0 } icmp_cache: { idle_timeout = 180, cap_weight = 0 } user_cache: { idle_timeout = 180, cap_weight = 0 } file_cache: { idle_timeout = 180, cap_weight = 32 } -------------------------------------------------- stream_file: upload: disabled -------------------------------------------------- stream_icmp: session_timeout: 30 -------------------------------------------------- stream_ip: max_frags: 8192 max_overlaps: 0 min_frag_length: 0 min_ttl: 1 policy: linux session_timeout: 30 -------------------------------------------------- stream_tcp: flush_factor: 0 max_pdu: 16384 max_window: 0 no_ack: disabled overlap_limit: 0 policy: bsd queue_limit: { max_bytes = 1048576, max_segments = 2621 } reassemble_async: enabled require_3whs: -1 (disabled) session_timeout: 30 small_segments: { count = 0, maximum_size = 0 } track_only: disabled -------------------------------------------------- stream_udp: session_timeout: 30 -------------------------------------------------- stream_user: session_timeout: 30 -------------------------------------------------- telnet: ayt_attack_thresh: -1 check_encrypted: disabled encrypted_traffic: disabled normalize: disabled -------------------------------------------------- wizard: -------------------------------------------------- pcap DAQ configured to passive. -------------------------------------------------- host_cache memcap: 8388608 bytes Commencing packet processing ++ [0] em0 Instance 0 daq pool size: 256 Instance 0 daq batch size: 64 ---Mike _______________________________________________ Snort-devel mailing list Snort-devel () lists snort org https://lists.snort.org/mailman/listinfo/snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- AppID and OpenVPN (snort 3 on FreeBSD 12.x) mike tancsa (Aug 13)
- Re: AppID and OpenVPN (snort 3 on FreeBSD 12.x) Shravan Rangarajuvenkata (shrarang) via Snort-devel (Aug 13)
- Re: AppID and OpenVPN (snort 3 on FreeBSD 12.x) mike tancsa (Aug 15)
- Re: AppID and OpenVPN (snort 3 on FreeBSD 12.x) 文浩 via Snort-devel (Aug 30)
- Re: AppID and OpenVPN (snort 3 on FreeBSD 12.x) Costas Kleopa (ckleopa) via Snort-devel (Aug 30)
- Re: AppID and OpenVPN (snort 3 on FreeBSD 12.x) 文浩 via Snort-devel (Aug 30)
- Re: AppID and OpenVPN (snort 3 on FreeBSD 12.x) mike tancsa (Aug 15)
- Re: AppID and OpenVPN (snort 3 on FreeBSD 12.x) Shravan Rangarajuvenkata (shrarang) via Snort-devel (Aug 13)