Re: [SUSPICIOUS] Re: Snort3: binder and wizard inspectors

[Russ via Snort-users <snort-users () lists snort org>]

We will add the ability to show services, probably with --help-module 
and --list-services.

On 11/6/18 6:31 AM, Meridoff via Snort-users wrote:
> вт, 6 нояб. 2018 г. в 14:21, Meridoff <oagvozd () gmail com 
> <mailto:oagvozd () gmail com>>:
>
>     I
>     пн, 5 нояб. 2018 г. в 19:54, Carter Waxman (cwaxman)
>     <cwaxman () cisco com <mailto:cwaxman () cisco com>>:
>
>         The full list for your install can be found with:
>
>         snort --plugin-path=/usr/local/lib/snort/ --help-plugins |
>         grep ^inspector
>
>         Replace /usr/local/lib/snort with the install paths you have
>         and note that --plugin-path must come before --help-plugins.
>
>
>     It shows only inspector names. But I need all possible 'service's
>     names to use in binder {}. For example, for FTP:
>     inspector::ftp_client: FTP inspector client module
>     inspector::ftp_data: FTP data channel handler
>     inspector::ftp_server: FTP inspector server module
>
>     But where is service named 'ftp'  or 'ftp-data' ? Which is used in
>     binder:
>
>         { when = { service = 'ftp' },  use = { type = 'ftp_server' } },
>         { when = { service = 'ftp-data' },   use = { type = 'ftp_data'
>     } },
>
>
>
> As I can see these services' names are hardcoded in InspectorApis and 
> only one method to get them is to look into default binder {}  table 
> in default snort.lua .
>
>
>
>
>
>
>
>
>
>         -Carter
>
>         *From: *Snort-users <snort-users-bounces () lists snort org
>         <mailto:snort-users-bounces () lists snort org>> on behalf of
>         Meridoff via Snort-users <Snort-users () lists snort org
>         <mailto:Snort-users () lists snort org>>
>         *Reply-To: *Meridoff <oagvozd () gmail com
>         <mailto:oagvozd () gmail com>>
>         *Date: *Sunday, November 4, 2018 at 12:08 AM
>         *To: *"Russ Combs (rucombs)" <rucombs () cisco com
>         <mailto:rucombs () cisco com>>
>         *Cc: *"snort-users () lists snort org
>         <mailto:snort-users () lists snort org>"
>         <Snort-users () lists snort org <mailto:Snort-users () lists snort org>>
>         *Subject: *[SUSPICIOUS] Re: [Snort-users] Snort3: binder and
>         wizard inspectors
>
>         Thanks a lot ! Many things became more clear.
>
>         And final question is : where I can get supported services
>         (their names) and/or services names supoorted for each
>         inspector ?
>
>         I can look into snort.lua/defaults.lua files but may be exists
>         other way.
>
>         Their names almost always identical, but some differs:
>         'ftp_server' inspector and 'ftp' service and some others..
>
>         вс, 4 нояб. 2018 г. в 1:36, Russ via Snort-users
>         <snort-users () lists snort org
>         <mailto:snort-users () lists snort org>>:
>
>             See below.
>             Russ
>
>             On 11/2/18 7:16 PM, Meridoff via Snort-users wrote:
>
>                 Hello, it's very brief info in manual about using
>                 wizard and binder.
>
>                 I have some questions concerning the most common use
>                 of them.
>
>                 1. Binder and wizard has "first match wins" logic in
>                 their config ?
>
>             Binder has first match wins logic for each of the things
>             it looks for (stream inspector, service inspector,
>             policy).  Wizard searches for all matches in parallel,
>             with first match wins at any given step.
>
>                 2. In binder we have "when" table - the match logic
>                 and "use" table - what to do  if match occure. Are the
>                 keys in when{}  have AND logic? (e.g.: when.ports and
>                 when.nets etc.. must match togather if specified)
>
>             Yes.
>
>                 3. In binder use.type - is the inspector to use for
>                 match case. But what means when.service and use.service?
>
>                 As far as I understand:
>
>                  3.1 we can define own 'service' in binder by    {
>                 when {port=123 }, use { service = "myserv" }  }
>
>             You can't define services in the binder rules, you can
>             only use existing services.
>
>                  3.2 we can define own 'service' in wizard by
>                 spell/hexes tables
>
>             Same thing. You can define match criteria for a service,
>             but it only helps if an inspector supports that service.
>
>                  3.3 if we have 'service' then we can use it in
>                 binder.use logic
>
>             when.service, user.type is the most common case which is
>             done in the default snort.lua.  use.service allows you to
>             map other criteria to a service, and a later rule in the
>             current table or a sub table can can be a when.service
>             rule.  You wouldn't normally use both when.service and
>             use.service in the same rule.
>
>                 4. What meaning of binder[].use.name
>                 
> <http://secure-web.cisco.com/1UjID5BhZe5vKtZrb184wWri-pqav--CBs5IO1d7hBt5FQ1c5dxxDIV8gXlfo1jfwF0AHgP_mn2dP7urcER5KELE28sRgRCwKWLXf4id_Su78NFzhn8LxIRfchGZCENmgKHtW4T1XD_hjlBz16Jigp-jLYRM1MljZvwqss3RnRvldAiW8ny_Le8ix65EUULrJj9Yr1FZShQNqlunmH0kRPobSd2ZO9c503sHdME8VnZ3NOMvvIXiFhp02uEFSlTKkM-sRkzSuz8C4xkzgIrn3S_XrFBk4UzWfwn7YbT4mmf6QxVruTTcijshzu7TI4YHRg20Ov4QUatzWDdfQV70BGw/http%3A%2F%2Fuse.name>
>                 ? Where its value can be used?
>
>             You can have multiple configurations for a given service.  Eg:
>
>             http_inspect = { }  -- default http config
>             other_http = { decompress_swf = true }  -- default http
>             with one change
>
>             To use other_http as an http_inspect config, you need a
>             binding like:
>
>             { when = { service = 'http' }, use = { name =
>             'other_http', type = 'http_inspect' }
>
>             You would typically have other when criteria to
>             distinguish this a binding for other_http from the default.
>
>                 5.So binder{} is evaluated 1st to identify service and
>                 2nd to identify what inspector to use for this service
>                 or what action to do (reset|block...).
>
>             To be precise, binder does not identify service, wizard
>             does that.
>
>                 6. Wizard usually goes last in binder{} so it is used
>                 to identify service that was failed to identify by
>                 bindings in binder ? And if we can identify serivce in
>                 wizard than we look into binder 2n time to decide what
>                 to do with it - what inspector or action to use and so
>                 on..
>
>             Yes.
>
>
>
>                 _______________________________________________
>
>                 Snort-users mailing list
>
>                 Snort-users () lists snort org
>                 <mailto:Snort-users () lists snort org>
>
>                 Go to this URL to change user options or unsubscribe:
>
>                 
> https://secure-web.cisco.com/1KoAbd2Fwy0zg-XH984gao_BYzKPrjtlSPf66_tA0GcWb0IMS564h3z-ToDV8nyG3IrhDQ3y2i8iQrvAX-aMaKOP7t1kGOBZD9K9R4JFnJxsmbOVPuF5o4PlwlrI-CsoBwuG8Be4J0maimprETCD9fPTT9-tsDXk7iFpblGdlon16y1E-jHT5ZjPPDfJZ0-PLaKlEouyL23BFf5JuzUzqsZdXgDMtetCGP8IPHKZK-qdKQfIz2YAtCgwD6lU7Ilf9uje0BFWNJXW7nl4VBHpQz-fFuyWu7E4Rq0XvS1Xhs4TJwOM602CsWkEn5n0Vj0sq/https%3A%2F%2Flists.snort.org%2Fmailman%2Flistinfo%2Fsnort-users
>
>                   
>
>                         To unsubscribe, send an email to:
>
>                         snort-users-leave () lists snort org
>                 <mailto:snort-users-leave () lists snort org>
>
>                   
>
>                 Please 
> visithttp://secure-web.cisco.com/172OQyn8Uj1_gl0BTtp4R0_TVY9ssUzfwExF6DpcMz8jF5Vg4C-yDakdskqQqFPajnCxrzuSWTLULrsq3s8wE00GYNpgix_1VSnHroQ7eDLEALuAbN7_6WHXY01vRr3NVh-UQJF34pSaT5dEeYDPGBWSxHXAVpZYgOACpFd1dVXYomybCpsJNLeUhCHpyWL2f3d_nbNj3WpBxhCKvYEkKBX_jL1zhFcJ86yx2vbcvnES2moVBwJga57t4aIOUMXPXMrwt7FUtz7CUVqJyktU23TDFUHVVc8fbAgMaL1L_CCgRKg6Or41O1Tm_l3Vb1ajiw0eKfXUZP1dcts0X8bGPLA/http%3A%2F%2Fblog.snort.org
>   to stay current on all the latest Snort news!
>
>                   
>
>                 Please follow these 
> rules:https://secure-web.cisco.com/1_RbiiCSYt2loRI3klHxAJCPKhuMDqdJGiJRLJMiTp1trDac7PZNlAlY5zLPJs95UdUKlk3o13EDmluqlS9wItlPo3RKOLY0ahBwjxetYJ7YC-HMxOeudDypS66zEanzeWRuVrOsKFs4ozr_hN8UkY26PXuU4fo7Myj0-8D_zhXPP1r-HiJFMi59p8qGpZBNljYBZXcULdz6LIClF4N_E90EbZACRRc3UIbyZgjjws-YimUDMoOuTSs3EYpWfgiFrXGJ1IvPqH2MPayq7R3Qy5W0gsSGL2PXUsSZujeckPcnpIjXTNAhzKRxg0vOefK_eMaDqikQUX9VHHQXvKxZCXQ/https%3A%2F%2Fsnort.org%2Ffaq%2Fwhat-is-the-mailing-list-etiquette
>
>             _______________________________________________
>             Snort-users mailing list
>             Snort-users () lists snort org
>             <mailto:Snort-users () lists snort org>
>             Go to this URL to change user options or unsubscribe:
>             
> https://secure-web.cisco.com/1KoAbd2Fwy0zg-XH984gao_BYzKPrjtlSPf66_tA0GcWb0IMS564h3z-ToDV8nyG3IrhDQ3y2i8iQrvAX-aMaKOP7t1kGOBZD9K9R4JFnJxsmbOVPuF5o4PlwlrI-CsoBwuG8Be4J0maimprETCD9fPTT9-tsDXk7iFpblGdlon16y1E-jHT5ZjPPDfJZ0-PLaKlEouyL23BFf5JuzUzqsZdXgDMtetCGP8IPHKZK-qdKQfIz2YAtCgwD6lU7Ilf9uje0BFWNJXW7nl4VBHpQz-fFuyWu7E4Rq0XvS1Xhs4TJwOM602CsWkEn5n0Vj0sq/https%3A%2F%2Flists.snort.org%2Fmailman%2Flistinfo%2Fsnort-users
>
>                     To unsubscribe, send an email to:
>             snort-users-leave () lists snort org
>             <mailto:snort-users-leave () lists snort org>
>
>             Please visit
>             
> http://secure-web.cisco.com/172OQyn8Uj1_gl0BTtp4R0_TVY9ssUzfwExF6DpcMz8jF5Vg4C-yDakdskqQqFPajnCxrzuSWTLULrsq3s8wE00GYNpgix_1VSnHroQ7eDLEALuAbN7_6WHXY01vRr3NVh-UQJF34pSaT5dEeYDPGBWSxHXAVpZYgOACpFd1dVXYomybCpsJNLeUhCHpyWL2f3d_nbNj3WpBxhCKvYEkKBX_jL1zhFcJ86yx2vbcvnES2moVBwJga57t4aIOUMXPXMrwt7FUtz7CUVqJyktU23TDFUHVVc8fbAgMaL1L_CCgRKg6Or41O1Tm_l3Vb1ajiw0eKfXUZP1dcts0X8bGPLA/http%3A%2F%2Fblog.snort.org
>             to stay current on all the latest Snort news!
>
>             Please follow these rules:
>             
> https://secure-web.cisco.com/1_RbiiCSYt2loRI3klHxAJCPKhuMDqdJGiJRLJMiTp1trDac7PZNlAlY5zLPJs95UdUKlk3o13EDmluqlS9wItlPo3RKOLY0ahBwjxetYJ7YC-HMxOeudDypS66zEanzeWRuVrOsKFs4ozr_hN8UkY26PXuU4fo7Myj0-8D_zhXPP1r-HiJFMi59p8qGpZBNljYBZXcULdz6LIClF4N_E90EbZACRRc3UIbyZgjjws-YimUDMoOuTSs3EYpWfgiFrXGJ1IvPqH2MPayq7R3Qy5W0gsSGL2PXUsSZujeckPcnpIjXTNAhzKRxg0vOefK_eMaDqikQUX9VHHQXvKxZCXQ/https%3A%2F%2Fsnort.org%2Ffaq%2Fwhat-is-the-mailing-list-etiquette
>
>
>
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists snort org
> Go to this URL to change user options or unsubscribe:
> https://lists.snort.org/mailman/listinfo/snort-users
>
>         To unsubscribe, send an email to:
>         snort-users-leave () lists snort org
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!
>
> Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

        To unsubscribe, send an email to:
        snort-users-leave () lists snort org

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette