Snort mailing list archives
Re: snort3: appid can not detect ssh
From: Meridoff via Snort-devel <snort-devel () lists snort org>
Date: Thu, 28 Apr 2022 00:48:48 +0300
Yes, I do. My config (attached too):
HOME_NET = "any"
EXTERNAL_NET = "any"
dofile("/var/lib/snort/snort_defaults.lua")
dofile("/var/lib/snort/file_magic.lua")
references = default_references
classifications = default_classifications
output = { logdir="/var/log/snort/", show_year=true}
process = { daemon=true }
snort = { ["-e"] = true, ["-M"] = true, ["--create-pidfile"] = true,
["-z"] = 1, ["--id-zero"] = true , ["-Q"] = true}
ips = { mode = "inline", enable_builtin_rules = false, variables =
default_variables }
perf_monitor = { base = false, output = "file", format = "text" }
alerts = { order ="pass reset block drop alert log" }
binder={}
wizard = default_wizard
alert_fast = {file=true}
stream={}
stream_tcp={}
stream_udp={}
http_inspect={}
ssl={}
appid = { app_stats_rollover_size=0, app_detector_dir =
"/etc/snort/openappid/" }
ssh={}
stream_icmp={}
stream_ip={}
stream_user={}
binder[1]={ use = { type = "ssh" }, when = { service = "ssh" } }
binder[2]={ use = { type = "ssl" }, when = { service = "ssl" } }
binder[3]={ use = { type = "http_inspect" }, when = { service = "http" } }
binder[4]={ use = { type = "wizard" } }
daq = { module_dirs = { "/usr/lib/daq" } }
daq.inputs = {'1'}
daq.modules = { { name = 'nfq', mode='inline' } }
daq.modules[1].variables = { 'debug'}
Additional info: problem exists when connection was made between Linux with
OpenSSH 8.3p1 to Linux Ubuntu with OpenSSH 8.2p1.
I have such log in this case:
*Apr 28 00:17:16 srv1 snort[2473]: AppIdDbg 10.30.1.2 22 -> 192.168.1.3
43490 6 AS=0 ID=0 New AppId sessionApr 28 00:17:16 srv1 snort[2473]:
AppIdDbg 10.30.1.2 22 -> 192.168.1.3 43490 6 AS=0 ID=0 Published event for
changes: createdApr 28 00:17:16 srv1 snort[2473]: AppIdDbg 192.168.1.3
43490 -> 10.30.1.2 22 6 AS=0 ID=0 SSH event handler read SSH version string
with vendor OpenSSH and version 8.2p1Apr 28 00:17:16 srv1 snort[2473]:
AppIdDbg 192.168.1.3 43490 -> 10.30.1.2 22 6 AS=0 ID=0 No service
candidate, wait for snort service inspectionApr 28 00:17:16 srv1
snort[2473]: AppIdDbg 192.168.1.3 43490 -> 10.30.1.2 22 6 AS=0 ID=0 SSH
event handler read SSH version string with vendor OpenSSH and version
8.3Apr 28 00:17:16 srv1 snort[2473]: AppIdDbg 192.168.1.3 43490 ->
10.30.1.2 22 6 AS=0 ID=0 Packet out-of-order, not-ok flowApr 28 00:17:16
srv1 snort[2473]: AppIdDbg 192.168.1.3 43490 -> 10.30.1.2 22 6 AS=0 ID=0
stopped service/client discoveryApr 28 00:17:16 srv1 snort[2473]: AppIdDbg
192.168.1.3 43490 -> 10.30.1.2 22 6 AS=0 ID=0 Published event for changes:
service*
When I make connection for example from WIndows WinSCP (proto WInSCP) to
Ubuntu OpenSSH 8.2p1 - all OK and I have such log:
*Apr 28 00:20:48 srv1 snort[2473]: AppIdDbg 10.30.1.3 49166 -> 192.168.1.3
22 6 AS=0 ID=0 New AppId sessionApr 28 00:20:48 srv1 snort[2473]: AppIdDbg
10.30.1.3 49166 -> 192.168.1.3 22 6 AS=0 ID=0 Published event for changes:
createdApr 28 00:20:48 srv1 snort[2473]: AppIdDbg 10.30.1.3 49166 ->
192.168.1.3 22 6 AS=0 ID=0 No service candidate, wait for snort service
inspectionApr 28 00:20:48 srv1 snort[2473]: AppIdDbg 10.30.1.3 49166 ->
192.168.1.3 22 6 AS=0 ID=0 SSH event handler read SSH version string with
vendor OpenSSH and version 8.2p1Apr 28 00:20:48 srv1 snort[2473]: AppIdDbg
10.30.1.3 49166 -> 192.168.1.3 22 6 AS=0 ID=0 SSH event handler read SSH
version string with vendor WinSCP and version release_5.17.7Apr 28 00:20:48
srv1 snort[2473]: AppIdDbg 10.30.1.3 49166 -> 192.168.1.3 22 6 AS=0 ID=0
SSH event handler received valid key exchangeApr 28 00:20:48 srv1
snort[2473]: AppIdDbg handle: serv.fin:1 cli.fin:0Apr 28 00:20:48 srv1
snort[2473]: AppIdDbg 10.30.1.3 49166 -> 192.168.1.3 22 6 AS=0 ID=0 SSH
event handler received valid key exchangeApr 28 00:20:48 srv1 snort[2473]:
AppIdDbg handle: serv.fin:1 cli.fin:1Apr 28 00:20:48 srv1 snort[2473]:
AppIdDbg: client_success: vendor=WinSCPApr 28 00:20:48 srv1 snort[2473]:
AppIdDbg 10.30.1.3 49166 -> 192.168.1.3 22 6 AS=0 ID=0 SSH event handler
identified client with AppId 4658Apr 28 00:20:48 srv1 snort[2473]: AppIdDbg
10.30.1.3 49166 -> 192.168.1.3 22 6 AS=0 ID=0 SSH event handler service
detectedApr 28 00:20:48 srv1 snort[2473]: AppIdDbg 10.30.1.3 49166 ->
192.168.1.3 22 6 AS=0 ID=0 Published event for changes: service, client,
service-info, client-info*
ср, 27 апр. 2022 г. в 16:27, Al Lewis (allewi) <allewi () cisco com>:
Hello, Do you have a config file that you can share? *Albert Lewis* ENGINEER.SOFTWARE ENGINEERING Cisco Systems Inc. Email: allewi () cisco com *From: *Snort-devel <snort-devel-bounces () lists snort org> on behalf of Meridoff via Snort-devel <snort-devel () lists snort org> *Reply-To: *Meridoff <oagvozd () gmail com> *Date: *Wednesday, April 27, 2022 at 6:58 AM *To: *"snort-devel () lists snort org" <snort-devel () lists snort org> *Subject: *[Snort-devel] snort3: appid can not detect ssh Hello, I use snort3.1.20 and try to detect appid OpenSsh . I've setup inspector ssh, binder, stream inspectors, and made ssh request through router srv1. All appids are loaded in snort. No ssh detected, In log I can see: Mar 18 05:33:07 srv1 snort[1742]: AppIdDbg 10.30.1.2 53008 -> 192.168.1.3 22 6 AS=0 ID=0 New AppId session Mar 18 05:33:07 srv1 snort[1742]: AppIdDbg 10.30.1.2 53008 -> 192.168.1.3 22 6 AS=0 ID=0 Published event for changes: created Mar 18 05:33:07 srv1 snort[1742]: AppIdDbg 10.30.1.2 53008 -> 192.168.1.3 22 6 AS=0 ID=0 SSH event handler read SSH version string with vendor OpenSSH and version 8.3 Mar 18 05:33:07 srv1 snort[1742]: AppIdDbg 10.30.1.2 53008 -> 192.168.1.3 22 6 AS=0 ID=0 No service candidate, wait for snort service inspection Mar 18 05:33:07 srv1 snort[1742]: AppIdDbg 10.30.1.2 53008 -> 192.168.1.3 22 6 AS=0 ID=0 SSH event handler read SSH version string with vendor OpenSSH and version 8.2p1 Mar 18 05:33:07 srv1 snort[1742]: AppIdDbg 10.30.1.2 53008 -> 192.168.1.3 22 6 AS=0 ID=0 SSH event handler received valid key exchange Mar 18 05:33:07 srv1 snort[1742]: AppIdDbg handle: serv.fin:1 cli.fin:0 Mar 18 05:33:07 srv1 snort[1742]: AppIdDbg 10.30.1.2 53008 -> 192.168.1.3 22 6 AS=0 ID=0 Packet out-of-order, not-ok flow Mar 18 05:33:07 srv1 snort[1742]: AppIdDbg 10.30.1.2 53008 -> 192.168.1.3 22 6 AS=0 ID=0 stopped service/client discovery Mar 18 05:33:07 srv1 snort[1742]: AppIdDbg 10.30.1.2 53008 -> 192.168.1.3 22 6 AS=0 ID=0 Published event for changes: service Line* "handle: serv.fin:1 cli.fin:0"* from log is my debug in void *SshEventHandler::handle(DataEvent& event, Flow* flow*) function before *"if (data->service_info.finished and data->client_info.finished)"* code line. Is it bug or smth wrong with my setup? Thanks
Attachment:
srv.conf
Description:
_______________________________________________ Snort-devel mailing list Snort-devel () lists snort org https://lists.snort.org/mailman/listinfo/snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- snort3: appid can not detect ssh Meridoff via Snort-devel (Apr 27)
- Re: snort3: appid can not detect ssh Al Lewis (allewi) via Snort-devel (Apr 27)
- Re: snort3: appid can not detect ssh Meridoff via Snort-devel (Apr 27)
- <Possible follow-ups>
- snort3: appid can not detect ssh Costas Kleopa (ckleopa) via Snort-devel (Apr 28)
- Re: snort3: appid can not detect ssh Al Lewis (allewi) via Snort-devel (Apr 27)