Snort3 Appid detection problem between 3.0.1 - 3.0.2 releases

[Özkan KIRIK via Snort-devel <snort-devel () lists snort org>]

Hello,

I am using FreeBSD stable/12 branch using netmap daq configuration.

snort3 is configured in inline mode with simple ruleset as below:

block ip any any -> any any ( msg: "block facebook"; appids:"facebook";
 sid:9000000; )
block ip any any -> any any ( msg: "block wetransfer ";
appids:"wetransfer";  sid:9000001; )
block ip any any -> any any ( msg: "block youtube"; appids:"youtube";
 sid:9000002; )
block icmp any any -> any any ( msg: "icmp inline test";  sid:9000003; )

After upgrading from 3.0.1 to 3.0.2 appid detection not working.
same configuration with:
- snort3.0.1.2 - detection and block action works properly
- snort3.0.1.4 - detection and block action works properly
- snort3.0.2.4 - only sid 9000003 matches and blocking traffic. appid
doesnt match any traffic.
- snort3.0.2.5 - only sid 9000003 matches and blocking traffic. appid
doesnt match any traffic.

appid = { app_detector_dir = '/usr/local/etc/snort' }
rate_filter = { }
stream = { }
stream_ip = { }
stream_icmp = { }
stream_tcp = { }
stream_udp = { }
arp_spoof = { }
back_orifice = { }
dnp3 = { }
dns = { }
http_inspect = { }
http2_inspect = { }
imap = { }
modbus = { }
normalizer = { tcp = { ips = true } }
pop = { }
rpc_decode = { }
sip = { }
ssh = { }
ssl = { }
telnet = { }
dce_smb = { }
dce_tcp = { }
dce_udp = { }
dce_http_proxy = { }
dce_http_server = { }

In snort 3.0.2* do we need to change any configuration?

Regards
Özkan

_______________________________________________
Snort-devel mailing list
Snort-devel () lists snort org
https://lists.snort.org/mailman/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!