Snort mailing list archives
snort3: appid can not detect ssh
From: "Costas Kleopa \(ckleopa\) via Snort-devel" <snort-devel () lists snort org>
Date: Thu, 28 Apr 2022 03:13:49 +0000
Adding the AppID distribution list. Meridoff can you also tell us what kind of IPS rule are you using for triggering this traffic? Do you have the complete output of snorts logging when the pcap is tested also? Thanks, Costas On Apr 27, 2022, at 5:50 PM, Meridoff via Snort-devel <snort-devel () lists snort org> wrote: Yes, I do. My config (attached too): HOME_NET = "any" EXTERNAL_NET = "any" dofile("/var/lib/snort/snort_defaults.lua") dofile("/var/lib/snort/file_magic.lua") references = default_references classifications = default_classifications output = { logdir="/var/log/snort/", show_year=true} process = { daemon=true } snort = { ["-e"] = true, ["-M"] = true, ["--create-pidfile"] = true, ["-z"] = 1, ["--id-zero"] = true , ["-Q"] = true} ips = { mode = "inline", enable_builtin_rules = false, variables = default_variables } perf_monitor = { base = false, output = "file", format = "text" } alerts = { order ="pass reset block drop alert log" } binder={} wizard = default_wizard alert_fast = {file=true} stream={} stream_tcp={} stream_udp={} http_inspect={} ssl={} appid = { app_stats_rollover_size=0, app_detector_dir = "/etc/snort/openappid/" } ssh={} stream_icmp={} stream_ip={} stream_user={} binder[1]={ use = { type = "ssh" }, when = { service = "ssh" } } binder[2]={ use = { type = "ssl" }, when = { service = "ssl" } } binder[3]={ use = { type = "http_inspect" }, when = { service = "http" } } binder[4]={ use = { type = "wizard" } } daq = { module_dirs = { "/usr/lib/daq" } } daq.inputs = {'1'} daq.modules = { { name = 'nfq', mode='inline' } } daq.modules[1].variables = { 'debug'} Additional info: problem exists when connection was made between Linux with OpenSSH 8.3p1 to Linux Ubuntu with OpenSSH 8.2p1. I have such log in this case: Apr 28 00:17:16 srv1 snort[2473]: AppIdDbg 10.30.1.2 22 -> 192.168.1.3 43490 6 AS=0 ID=0 New AppId session Apr 28 00:17:16 srv1 snort[2473]: AppIdDbg 10.30.1.2 22 -> 192.168.1.3 43490 6 AS=0 ID=0 Published event for changes: created Apr 28 00:17:16 srv1 snort[2473]: AppIdDbg 192.168.1.3 43490 -> 10.30.1.2 22 6 AS=0 ID=0 SSH event handler read SSH version string with vendor OpenSSH and version 8.2p1 Apr 28 00:17:16 srv1 snort[2473]: AppIdDbg 192.168.1.3 43490 -> 10.30.1.2 22 6 AS=0 ID=0 No service candidate, wait for snort service inspection Apr 28 00:17:16 srv1 snort[2473]: AppIdDbg 192.168.1.3 43490 -> 10.30.1.2 22 6 AS=0 ID=0 SSH event handler read SSH version string with vendor OpenSSH and version 8.3 Apr 28 00:17:16 srv1 snort[2473]: AppIdDbg 192.168.1.3 43490 -> 10.30.1.2 22 6 AS=0 ID=0 Packet out-of-order, not-ok flow Apr 28 00:17:16 srv1 snort[2473]: AppIdDbg 192.168.1.3 43490 -> 10.30.1.2 22 6 AS=0 ID=0 stopped service/client discovery Apr 28 00:17:16 srv1 snort[2473]: AppIdDbg 192.168.1.3 43490 -> 10.30.1.2 22 6 AS=0 ID=0 Published event for changes: service When I make connection for example from WIndows WinSCP (proto WInSCP) to Ubuntu OpenSSH 8.2p1 - all OK and I have such log: Apr 28 00:20:48 srv1 snort[2473]: AppIdDbg 10.30.1.3 49166 -> 192.168.1.3 22 6 AS=0 ID=0 New AppId session Apr 28 00:20:48 srv1 snort[2473]: AppIdDbg 10.30.1.3 49166 -> 192.168.1.3 22 6 AS=0 ID=0 Published event for changes: created Apr 28 00:20:48 srv1 snort[2473]: AppIdDbg 10.30.1.3 49166 -> 192.168.1.3 22 6 AS=0 ID=0 No service candidate, wait for snort service inspection Apr 28 00:20:48 srv1 snort[2473]: AppIdDbg 10.30.1.3 49166 -> 192.168.1.3 22 6 AS=0 ID=0 SSH event handler read SSH version string with vendor OpenSSH and version 8.2p1 Apr 28 00:20:48 srv1 snort[2473]: AppIdDbg 10.30.1.3 49166 -> 192.168.1.3 22 6 AS=0 ID=0 SSH event handler read SSH version string with vendor WinSCP and version release_5.1 7.7 Apr 28 00:20:48 srv1 snort[2473]: AppIdDbg 10.30.1.3 49166 -> 192.168.1.3 22 6 AS=0 ID=0 SSH event handler received valid key exchange Apr 28 00:20:48 srv1 snort[2473]: AppIdDbg handle: serv.fin:1 cli.fin:0 Apr 28 00:20:48 srv1 snort[2473]: AppIdDbg 10.30.1.3 49166 -> 192.168.1.3 22 6 AS=0 ID=0 SSH event handler received valid key exchange Apr 28 00:20:48 srv1 snort[2473]: AppIdDbg handle: serv.fin:1 cli.fin:1 Apr 28 00:20:48 srv1 snort[2473]: AppIdDbg: client_success: vendor=WinSCP Apr 28 00:20:48 srv1 snort[2473]: AppIdDbg 10.30.1.3 49166 -> 192.168.1.3 22 6 AS=0 ID=0 SSH event handler identified client with AppId 4658 Apr 28 00:20:48 srv1 snort[2473]: AppIdDbg 10.30.1.3 49166 -> 192.168.1.3 22 6 AS=0 ID=0 SSH event handler service detected Apr 28 00:20:48 srv1 snort[2473]: AppIdDbg 10.30.1.3 49166 -> 192.168.1.3 22 6 AS=0 ID=0 Published event for changes: service, client, service-info, client-info ср, 27 апр. 2022 г. в 16:27, Al Lewis (allewi) <allewi () cisco com<mailto:allewi () cisco com>>: Hello, Do you have a config file that you can share? Albert Lewis ENGINEER.SOFTWARE ENGINEERING Cisco Systems Inc. Email: allewi () cisco com<mailto:allewi () cisco com> From: Snort-devel <snort-devel-bounces () lists snort org<mailto:snort-devel-bounces () lists snort org>> on behalf of Meridoff via Snort-devel <snort-devel () lists snort org<mailto:snort-devel () lists snort org>> Reply-To: Meridoff <oagvozd () gmail com<mailto:oagvozd () gmail com>> Date: Wednesday, April 27, 2022 at 6:58 AM To: "snort-devel () lists snort org<mailto:snort-devel () lists snort org>" <snort-devel () lists snort org<mailto:snort-devel () lists snort org>> Subject: [Snort-devel] snort3: appid can not detect ssh Hello, I use snort3.1.20 and try to detect appid OpenSsh . I've setup inspector ssh, binder, stream inspectors, and made ssh request through router srv1. All appids are loaded in snort. No ssh detected, In log I can see: Mar 18 05:33:07 srv1 snort[1742]: AppIdDbg 10.30.1.2 53008 -> 192.168.1.3 22 6 AS=0 ID=0 New AppId session Mar 18 05:33:07 srv1 snort[1742]: AppIdDbg 10.30.1.2 53008 -> 192.168.1.3 22 6 AS=0 ID=0 Published event for changes: created Mar 18 05:33:07 srv1 snort[1742]: AppIdDbg 10.30.1.2 53008 -> 192.168.1.3 22 6 AS=0 ID=0 SSH event handler read SSH version string with vendor OpenSSH and version 8.3 Mar 18 05:33:07 srv1 snort[1742]: AppIdDbg 10.30.1.2 53008 -> 192.168.1.3 22 6 AS=0 ID=0 No service candidate, wait for snort service inspection Mar 18 05:33:07 srv1 snort[1742]: AppIdDbg 10.30.1.2 53008 -> 192.168.1.3 22 6 AS=0 ID=0 SSH event handler read SSH version string with vendor OpenSSH and version 8.2p1 Mar 18 05:33:07 srv1 snort[1742]: AppIdDbg 10.30.1.2 53008 -> 192.168.1.3 22 6 AS=0 ID=0 SSH event handler received valid key exchange Mar 18 05:33:07 srv1 snort[1742]: AppIdDbg handle: serv.fin:1 cli.fin:0 Mar 18 05:33:07 srv1 snort[1742]: AppIdDbg 10.30.1.2 53008 -> 192.168.1.3 22 6 AS=0 ID=0 Packet out-of-order, not-ok flow Mar 18 05:33:07 srv1 snort[1742]: AppIdDbg 10.30.1.2 53008 -> 192.168.1.3 22 6 AS=0 ID=0 stopped service/client discovery Mar 18 05:33:07 srv1 snort[1742]: AppIdDbg 10.30.1.2 53008 -> 192.168.1.3 22 6 AS=0 ID=0 Published event for changes: service Line "handle: serv.fin:1 cli.fin:0" from log is my debug in void SshEventHandler::handle(DataEvent& event, Flow* flow) function before "if (data->service_info.finished and data->client_info.finished)" code line. Is it bug or smth wrong with my setup? Thanks _______________________________________________ Snort-devel mailing list Snort-devel () lists snort org https://lists.snort.org/mailman/listinfo/snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Attachment:
srv.conf
Description: srv.conf
_______________________________________________ Snort-devel mailing list Snort-devel () lists snort org https://lists.snort.org/mailman/listinfo/snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- snort3: appid can not detect ssh Meridoff via Snort-devel (Apr 27)
- Re: snort3: appid can not detect ssh Al Lewis (allewi) via Snort-devel (Apr 27)
- Re: snort3: appid can not detect ssh Meridoff via Snort-devel (Apr 27)
- <Possible follow-ups>
- snort3: appid can not detect ssh Costas Kleopa (ckleopa) via Snort-devel (Apr 28)
- Re: snort3: appid can not detect ssh Al Lewis (allewi) via Snort-devel (Apr 27)