Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: snort3: problem with metadata: service http in sample.rules

From: Marcin Dulak <marcin.dulak () gmail com>
Date: Sun, 5 Mar 2017 19:21:02 +0100
On Sun, Mar 5, 2017 at 3:05 PM, Russ <rucombs () cisco com> wrote:




On 3/4/17 5:09 PM, Marcin Dulak wrote:

Hi,

this is a follow up to http://seclists.org/snort/2017/q1/593

To make it clear for others, that problem is due to mixing the old HTTP
inspector and friends (rule options) with the new one.  We are phasing
out the old one before the beta release (it was retained for certain
testing scenarios).

To avoid that problem delete the old library
(install/lib/snort_extra/inspectors//http_server.so) or use
--plugin-path install/lib/snort_extra/codecs/ so you just pick up the
external codec(s) you need.

Using  --plugin-path /usr/lib64/snort_extra/codecs alone is not enough to
get http traffic detected,
if snort3 sample.rules are present.

This is a different issue; see below.


The service option present in metadata in
https://github.com/snortadmin/snort3/blob/89bae69d5cd980ae56ef0322b6ef7c

ca87a75cf2/lua/sample.rules

seems to cause
http to be undetected. To reproduce the problem:

# cat /etc/yum.repos.d/copr-marcindulak-snort.repo
[copr-marcindulak-snort]
name=copr-marcindulak-snort
baseurl=
https://copr-be.cloud.fedoraproject.org/results/marcindulak/snort/epel-$

releasever-$basearch

enabled=1
gpgcheck=1
gpgkey=
https://copr-be.cloud.fedoraproject.org/results/

marcindulak/snort/pubkey.gpg


# yum -y install snort snort-extra

# cp -f /etc/snort/sample.rules /etc/snort/rules/snort.rules
# echo 'alert tcp any any -> any 80 (msg:"test";
flow:to_server,established; http_uri; content:"/test"; sid:3000001;)' >>
/etc/snort/rules/snort.rules

This rule does not have service.  Instead of deleting service from all
the sample rules, add service to this rule in one of the following ways:

alert tcp any any -> any 80 (msg:"test"; flow:to_server,established;
http_uri; content:"/test"; metadata:service http; sid:3000001;)

alert http any any -> any 80 (msg:"test"; flow:to_server,established;
http_uri; content:"/test"; sid:3000001;)

With that I get (using -A csv):

02/26-08:19:45.017007, 5, TCP, stream_tcp, 57, C2S, 192.168.17.20:34616,
192.168.17.30:80, 1:3000001:0, allow

stream_tcp indicates that this alert is firing on a PDU or PDU buffer,
not on a raw packet.  If no service rules exist, then the rules will be
evaluated against PDUs.  With service and non-service rules, non-service
rules only work on raw packets.  This distinction is important to
improve performance and reduce false positives.



together with the default sample.rules, this rule

alert tcp any any -> any 80 (msg:"test"; flow:to_server,established;
http_uri; content:"/test"; metadata:service http; sid:3000001;)

results in buffer (type 3) instead of packet (type 2) being logged in
unified2.log as u2spewfoo shows below. Is this expected?
The buffer record type is not described at
https://www.snort.org/faq/readme-unified2 and u2boat does not seem to
handle it.
https://github.com/jasonish/py-idstools does not understand unified2 buffer
record type either.

SNORT_LUA_PATH=/etc/snort LUA_PATH=/usr/include/snort/lua/?.lua snort
--daq-dir /usr/lib64/daq -c /etc/snort/snort.lua --plugin-path
/usr/lib64/snort_extra/codecs -R /etc/snort/rules/snort.rules -r test.txt
-A csv -q
03/05-16:30:01.076418, 5, TCP, stream_tcp, 50, C2S, 192.168.17.20:44018,
192.168.17.30:80, 1:3000001:1, allow

# u2spewfoo /var/log/snort/unified2.log

(Event)
    sensor id: 0    event id: 36    event second: 1488729771    event
microsecond: 741612
    sig id: 3000001    gen id: 1    revision: 1     classification: 1
    priority: 3    ip source: 192.168.17.20    ip destination: 192.168.17.30
    src port: 59580    dest port: 80    ip_proto: 255    impact_flag: 0
blocked: 0
    mpls label: 0    vland id: 0    policy id: 0

Buffer
    sensor_id: 0    event_id: 36    event_second: 1488729771
    packet_second: 1488729771    packet_microsecond: 741612
    packet_length: 50
[    0] 55 73 65 72 2D 41 67 65 6E 74 3A 20 63 75 72 6C  User-Agent: curl
[   16] 2F 37 2E 32 39 2E 30 0D 0A 48 6F 73 74 3A 20 73  /7.29.0..Host: s
[   32] 6E 6F 72 74 30 0D 0A 41 63 63 65 70 74 3A 20 2A  nort0..Accept: *
[   48] 2F 2A                                            /*


However, removing "flow:to_server,established; http_uri;" we are back at
the raw packet, and packet logged in unified2.

alert tcp any any -> any 80 (msg:"test"; content:"/test"; metadata: service
http; sid:3000001;)

SNORT_LUA_PATH=/etc/snort LUA_PATH=/usr/include/snort/lua/?.lua snort
--daq-dir /usr/lib64/daq -c /etc/snort/snort.lua --plugin-path
/usr/lib64/snort_extra/codecs -R /etc/snort/rules/snort.rules -r test.txt
-A csv -q
03/05-16:30:01.076418, 4, TCP, raw, 138, C2S, 192.168.17.20:44018,
192.168.17.30:80, 1:3000001:1, allow

What is the relation between http_uri and metadata: service http?


Marcin



Key takeaway:  always indicate service in rules that have service
buffers like http_uri.


# SNORT_LUA_PATH=/etc/snort LUA_PATH=/usr/include/snort/lua/?.lua snort
--daq-dir /usr/lib64/daq -c /etc/snort/snort.lua --plugin-path
/usr/lib64/snort_extra/codecs -R /etc/snort/rules/snort.rules -r test.txt
-A alert_fast -q

# sed -i 's/service http//' /etc/snort/rules/snort.rules
# sed -i 's/,,/,/' /etc/snort/rules/snort.rules
# sed -i 's/:,/:/' /etc/snort/rules/snort.rules

# SNORT_LUA_PATH=/etc/snort LUA_PATH=/usr/include/snort/lua/?.lua snort
--daq-dir /usr/lib64/daq -c /etc/snort/snort.lua --plugin-path
/usr/lib64/snort_extra/codecs -R /etc/snort/rules/snort.rules -r test.txt
-A alert_fast -q
02/26-13:19:45.017007 [**] [1:3000001:0] "test" [**] [Priority: 0] {TCP}
192.168.17.20:34616 -> 192.168.17.30:80

By the way most snort3 rules are incompatible with snort2 (
https://github.com/snortadmin/snort3/blob/master/doc/differences.txt).
I tried to use pulledpork's modifysig to convert community-rules.tar.gz
into a snort3 format, but that's not a reliable way.

You should use snort2lua to convert rules files from 2.X to 3.0 format.
Don't let the name fool you, it converts confs and/or rules.

How are you planning to transition into snort3 rules? By implementing
snort3 rules support in snort2?

At first 2.X rules will be translated with snort2lua.  I'll defer any
further input to Talos.


I noticed also that some type of attachments are stripped when posting on
snort-users.
I'm attaching test.txt (pcap), but no guarantee it will be available on

the

list.

Cheers,

Marcin


------------------------------------------------------------

------------------

Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest

Snort news!

------------------------------------------------------------
------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest
Snort news!


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: