Snort mailing list archives

Re: (no subject)

From: "Russ Combs \(rucombs\) via Snort-devel" <snort-devel () lists snort org>
Date: Sun, 26 Apr 2020 22:15:21 +0000

Thanks Noah.  This is related to a rule service issue we are planning to fix.  If you know service you should add it to 
the rules.  That should fix it in those cases.

Russ

From: Snort-devel <snort-devel-bounces () lists snort org> on behalf of Noah Dietrich <noah_dietrich () 86penny org>
Date: Sunday, April 26, 2020 at 11:29 AM
To: "snort-devel () lists snort org" <snort-devel () lists snort org>
Subject: [Snort-devel] (no subject)

I've found a weird bug in Snort 3.0.1 b1, compiled from github.  When you load the community or registered ruleset, any 
local rules you have that use AppID don't work.  If you don't load the rulesets, then the rules work.  Other local 
rules that don't use OpenAppID work just fine, it's just the rules that use AppID don't alert.

I have a local.rules file with the following two alerts:
alert tcp any any -> any any ( msg:"Facebook Detected"; appids:"Facebook";sid:10000001; )
alert icmp any any -> any any (msg:"ICMP Traffic Detected";sid:10000002;)

when I run snort with only these two rules, they work fine(both facebook and ICMP generate alerts):
sudo snort -c /usr/local/etc/snort/snort.lua -R /usr/local/etc/rules/local.rules -i ens160 -A alert_fast -s 65535 -k 
none

If I also include the registered ruleset (by using the snort.lua file that came with the ruleset) along with my 
local.rules, the ICMP rule still generates alerts, but the facebook rule using AppID doesn't generate any alerts.

Attached are the two snort.lua files i used to show this error.  snort2.lua doesn't have the ruleset rules enabled and 
works fine. snort.lua has the ruleset rules enabled, and doesn't generate any AppID alerts. I'm running snort using the 
same command line options (excpet for the different config file path)

i'm also logging appid stats, and i can see that appid is seeing facebook traffic, even when alerts aren't generating:
1587910819,__unknown,3786,7580
1587910819,DNS,279,339
1587910819,Facebook,4951,90222
1587910819,NetBIOS-dgm,450,0
1587910819,NetBIOS-ns,736,0
1587910819,HTTPS,4951,90222
1587910819,SSL client,4951,90222

I'm running the latest snort (3.0.1 b2 from github, on Ubuntu 20 x64) and the latest OpenAppID detectors 
(https://snort.org/downloads/openappid/12159)

noah@snort3:~/snort_src$ snort -V

   ,,_     -*> Snort++ <*-
  o"  )~   Version 3.0.1 (Build 2)
   ''''    By Martin Roesch & The Snort Team
           http://snort.org/contact#team
           Copyright (C) 2014-2020 Cisco and/or its affiliates. All rights reserved.
           Copyright (C) 1998-2013 Sourcefire, Inc., et al.
           Using DAQ version 3.0.0
           Using LuaJIT version 2.1.0-beta3
           Using OpenSSL 1.1.1f  31 Mar 2020
           Using libpcap version 1.9.1 (with TPACKET_V3)
           Using PCRE version 8.43 2019-02-23
           Using ZLIB version 1.2.11
           Using FlatBuffers 1.12.0
           Using Hyperscan version 5.2.1 2020-04-25
           Using LZMA version 5.2.4

let me know if you need anything else.
thanks
Noah

_______________________________________________
Snort-devel mailing list
Snort-devel () lists snort org
https://lists.snort.org/mailman/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!

Current thread:

(no subject) Boroboro Yokotero via Snort-sigs (Apr 01)
- <Possible follow-ups>
- (no subject) Noah Dietrich (Apr 26)
  - Re: (no subject) Russ Combs (rucombs) via Snort-devel (Apr 26)