Snort mailing list archives
Re: snort3 : appid problem
From: "Al Lewis \(allewi\) via Snort-users" <snort-users () lists snort org>
Date: Wed, 31 Oct 2018 16:37:20 +0000
I used the default config and appid download. Its alerted without issue for me. Albert Lewis ENGINEER.SOFTWARE ENGINEERING Cisco Systems Inc. Email: allewi () cisco com<mailto:allewi () cisco com> From: Meridoff <oagvozd () gmail com> Date: Wednesday, October 31, 2018 at 12:04 PM To: "Al Lewis (allewi)" <allewi () cisco com>, "Snort-users () lists snort org" <Snort-users () lists snort org> Subject: Re: [Snort-users] snort3 : appid problem I've debugged that p->flow is NULL, so packet is ignored in AppIdInspector::eval() Why my packet flow is NULL ? I mean member "Flow flow" of Packet class May be something absent in my config ? My rule is: alert tcp any any -> any any ( gid:8000; appids:"Jabber"; msg:"appid"; sid:12345678; ) пн, 22 окт. 2018 г. в 4:03, Al Lewis (allewi) <allewi () cisco com<mailto:allewi () cisco com>>: Tested locally and it works… [speaker@speaker snort3-FROM-GIT]$ ./bin/snort -c etc/snort/snort.lua -R etc/snort/rules.txt -r jabber.pcap -Acmg -k none -q | more 12/10-04:55:05.799396 [**] [1:12345678:0] "Jabber" [**] [Priority: 0] [AppID: Jabber] {TCP} 192.168.21.111:53918<http://192.168.21.111:53918> -> 192.168.10.22:5222<http://192.168.10.22:5222> B4:99:BA:E4:D7:48 -> 4C:4E:35:EB:2D:CB type:0x800 len:0xD6 192.168.21.111:53918<http://192.168.21.111:53918> -> 192.168.10.22:5222<http://192.168.10.22:5222> TCP TTL:128 TOS:0x0 ID:14932 IpLen:20 DgmLen:200 DF ***AP*** Seq: 0xD32CAB47 Ack: 0x82741A88 Win: 0x102 TcpLen: 20 snort.raw[160]: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 3C 3F 78 6D 6C 20 76 65 72 73 69 6F 6E 3D 27 31 <?xml ve rsion='1 2E 30 27 20 3F 3E 3C 73 74 72 65 61 6D 3A 73 74 .0' ?><s tream:st 72 65 61 6D 20 74 6F 3D 27 75 63 64 65 6D 6F 2E ream to= 'ucdemo. 63 69 73 63 6F 2E 6C 6F 63 61 6C 27 20 78 6D 6C cisco.lo cal' xml 6E 73 3D 27 6A 61 62 62 65 72 3A 63 6C 69 65 6E ns='jabb er:clien 74 27 20 78 6D 6C 6E 73 3A 73 74 72 65 61 6D 3D t' xmlns :stream= 27 68 74 74 70 3A 2F 2F 65 74 68 65 72 78 2E 6A 'http:// etherx.j 61 62 62 65 72 2E 6F 72 67 2F 73 74 72 65 61 6D abber.or g/stream 73 27 20 20 78 6D 6C 3A 6C 61 6E 67 3D 27 65 6E s' xml: lang='en 27 20 76 65 72 73 69 6F 6E 3D 27 31 2E 30 27 3E ' versio n='1.0'> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Also.. Is there a reason that you don’t have a message in your rule? The rule I used is: alert tcp any any -> any any ( msg:"Jabber"; sid:12345678; appids:"Jabber";) Albert Lewis ENGINEER.SOFTWARE ENGINEERING Cisco Systems Inc. Email: allewi () cisco com<mailto:allewi () cisco com> From: "Al Lewis (allewi)" <allewi () cisco com<mailto:allewi () cisco com>> Date: Sunday, October 21, 2018 at 2:02 PM To: Meridoff <oagvozd () gmail com<mailto:oagvozd () gmail com>>, "Snort-users () lists snort org<mailto:Snort-users () lists snort org>" <Snort-users () lists snort org<mailto:Snort-users () lists snort org>> Subject: Re: [Snort-users] snort3 : appid problem Hello, Do you have a pcap of the traffic being used that you can share for testing? Albert Lewis ENGINEER.SOFTWARE ENGINEERING Cisco Systems Inc. Email: allewi () cisco com<mailto:allewi () cisco com> From: Snort-users <snort-users-bounces () lists snort org<mailto:snort-users-bounces () lists snort org>> on behalf of Meridoff via Snort-users <Snort-users () lists snort org<mailto:Snort-users () lists snort org>> Reply-To: Meridoff <oagvozd () gmail com<mailto:oagvozd () gmail com>> Date: Friday, October 19, 2018 at 2:23 PM To: "Snort-users () lists snort org<mailto:Snort-users () lists snort org>" <Snort-users () lists snort org<mailto:Snort-users () lists snort org>> Subject: [Snort-users] snort3 : appid problem Hello, i've turned on inspector appids and configured all that needs for appid (open app id dir and so on). Annd I have manual rule with appids keyword: drop tcp any any -> any any (sid:12345678; appids:"Jabber";) Then try to register jabber user - Jabber traffic goes through interface on witch snort listens, but nothing happens - nothing blocked and no alerts logged into log files. What is the example for using appids and what are the requirements for appids to work?
_______________________________________________ Snort-users mailing list Snort-users () lists snort org Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users To unsubscribe, send an email to: snort-users-leave () lists snort org Please visit http://blog.snort.org to stay current on all the latest Snort news! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
Current thread:
- snort3 : appid problem Meridoff via Snort-users (Oct 19)
- Re: snort3 : appid problem Al Lewis (allewi) via Snort-users (Oct 21)
- Message not available
- Re: snort3 : appid problem Meridoff via Snort-users (Oct 31)
- Re: snort3 : appid problem Al Lewis (allewi) via Snort-users (Oct 31)
- Re: snort3 : appid problem Meridoff via Snort-users (Nov 01)
- Message not available
- Re: snort3 : appid problem Al Lewis (allewi) via Snort-users (Oct 21)