Re: snort3 : appid problem

[Meridoff via Snort-users <snort-users () lists snort org>]

I've debugged that p->flow is NULL, so packet is ignored
in  AppIdInspector::eval()

Why my packet flow is NULL ? I mean member "Flow flow" of Packet class
May be something absent in my config ?

My rule is: alert tcp any any -> any any ( gid:8000; appids:"Jabber";
msg:"appid"; sid:12345678;  )



пн, 22 окт. 2018 г. в 4:03, Al Lewis (allewi) <allewi () cisco com>:

> Tested locally and it works…
>
>
>
>
>
> [speaker@speaker snort3-FROM-GIT]$ ./bin/snort -c etc/snort/snort.lua -R
> etc/snort/rules.txt -r jabber.pcap -Acmg -k none -q | more
>
> 12/10-04:55:05.799396 [**] [1:12345678:0] "Jabber" [**] [Priority: 0]
> [AppID: Jabber] {TCP} 192.168.21.111:53918 -> 192.168.10.22:5222
>
> B4:99:BA:E4:D7:48 -> 4C:4E:35:EB:2D:CB type:0x800 len:0xD6
>
> 192.168.21.111:53918 -> 192.168.10.22:5222 TCP TTL:128 TOS:0x0 ID:14932
> IpLen:20 DgmLen:200 DF
>
> ***AP*** Seq: 0xD32CAB47  Ack: 0x82741A88  Win: 0x102  TcpLen: 20
>
>
>
> snort.raw[160]:
>
> - - - - - - - - - - - -  - - - - - - - - - - - -  - - - - - - - - -
>
> 3C 3F 78 6D 6C 20 76 65  72 73 69 6F 6E 3D 27 31  <?xml ve rsion='1
>
> 2E 30 27 20 3F 3E 3C 73  74 72 65 61 6D 3A 73 74  .0' ?><s tream:st
>
> 72 65 61 6D 20 74 6F 3D  27 75 63 64 65 6D 6F 2E  ream to= 'ucdemo.
>
> 63 69 73 63 6F 2E 6C 6F  63 61 6C 27 20 78 6D 6C  cisco.lo cal' xml
>
> 6E 73 3D 27 6A 61 62 62  65 72 3A 63 6C 69 65 6E  ns='jabb er:clien
>
> 74 27 20 78 6D 6C 6E 73  3A 73 74 72 65 61 6D 3D  t' xmlns :stream=
>
> 27 68 74 74 70 3A 2F 2F  65 74 68 65 72 78 2E 6A  'http:// etherx.j
>
> 61 62 62 65 72 2E 6F 72  67 2F 73 74 72 65 61 6D  abber.or g/stream
>
> 73 27 20 20 78 6D 6C 3A  6C 61 6E 67 3D 27 65 6E  s'  xml: lang='en
>
> 27 20 76 65 72 73 69 6F  6E 3D 27 31 2E 30 27 3E  ' versio n='1.0'>
>
> - - - - - - - - - - - -  - - - - - - - - - - - -  - - - - - - - - -
>
>
>
>
>
> Also.. Is there a reason that you don’t have a message in your rule?
>
>
>
> The rule I used is:
>
>
>
> alert tcp any any -> any any ( msg:"Jabber"; sid:12345678;
> appids:"Jabber";)
>
>
>
>
>
>
>
>
>
> *Albert Lewis*
>
> ENGINEER.SOFTWARE ENGINEERING
>
> Cisco Systems Inc.
>
> Email: allewi () cisco com
>
>
>
>
>
> *From: *"Al Lewis (allewi)" <allewi () cisco com>
> *Date: *Sunday, October 21, 2018 at 2:02 PM
> *To: *Meridoff <oagvozd () gmail com>, "Snort-users () lists snort org" <
> Snort-users () lists snort org>
> *Subject: *Re: [Snort-users] snort3 : appid problem
>
>
>
> Hello,
>
>
>
> Do you have a pcap of the traffic being used that you can share for
> testing?
>
>
>
>
>
> *Albert Lewis*
>
> ENGINEER.SOFTWARE ENGINEERING
>
> Cisco Systems Inc.
>
> Email: allewi () cisco com
>
>
>
>
>
> *From: *Snort-users <snort-users-bounces () lists snort org> on behalf of
> Meridoff via Snort-users <Snort-users () lists snort org>
> *Reply-To: *Meridoff <oagvozd () gmail com>
> *Date: *Friday, October 19, 2018 at 2:23 PM
> *To: *"Snort-users () lists snort org" <Snort-users () lists snort org>
> *Subject: *[Snort-users] snort3 : appid problem
>
>
>
> Hello, i've turned on inspector appids and configured all that needs for
> appid (open app id dir and so on).
>
>
>
> Annd I have manual rule with appids keyword:
>
> drop tcp any any -> any any (sid:12345678; appids:"Jabber";)
>
>
>
> Then try to register jabber user - Jabber traffic goes through interface
> on witch snort listens, but nothing happens - nothing blocked and no alerts
> logged into log files.
>
>
>
>
>
> What is the example for using appids and what are the requirements for
> appids to work?
_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

        To unsubscribe, send an email to:
        snort-users-leave () lists snort org

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette